I am trying to configure a demo, cross-platform Puppet Setup, that is
Puppet master on Centos 8 running puppetserver version: 6.11.1
Puppet node on ubuntu18.04 running Puppet v5.4.0
However, when I try a test puppet run with puppet agent --test , I get error like below.
Looks like it is expecting a issuer certificate of Puppet CA , that is certificate of the root CA which signed the puppet CAs certficate. This error is not present with centosMaster-centosUbuntu.
Can anyone helpout here? Can i copy this cert from the Puppet servers file on centos to the ubuntu node that is expecting it? If so what would be the location on the centos host?
root#node04-ubuntu:/# puppet agent --test --ca_server=puppetmaster.localdomain.com --no-daemonize --waitforcert=20 --verbose
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Info: Retrieving pluginfacts
Error: /File[/var/cache/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Error: /File[/var/cache/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Info: Retrieving plugin
Error: /File[/var/cache/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Error: /File[/var/cache/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed (unable to get issuer certificate): [unable to get issuer certificate for /CN=Puppet CA: puppetmaster.localdomain.com
Fixed
The issue was the version mismatch. Got the client to be as the same latest version as the master and it is working now. Cheers
Related
pymongo.errors.ServerSelectionTimeoutError: mflix-shard-00-00.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129),mflix-shard-00-02.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129),mflix-shard-00-01.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129), Timeout: 30s, Topology Description: <TopologyDescription id: 60b1c9b0c4a5874ea362693e, topology_type: ReplicaSetNoPrimary, servers: [<ServerDescription ('mflix-shard-00-00.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-00.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>, <ServerDescription ('mflix-shard-00-01.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-01.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>, <ServerDescription ('mflix-shard-00-02.fmraf.mongodb.net', 27017) server_type: Unknown, rtt: None, error=AutoReconnect('mflix-shard-00-02.fmraf.mongodb.net:27017: [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: unable to get local issuer certificate (_ssl.c:1129)')>]>
This is the error it is producing.
I am using FastApi, Motor, and uvicorn to the run server. The database I use is a free cluster provided in Mongo Atlas. It was working fine the last time I updated the server that is 2 days ago, but from yesterday onwards the error is produced. I've tried to update the above mentioned packages as of now.
I am new to mongodb.
I have found a fix that works but I don't if its the best way.
client = motor.motor_asyncio.AsyncIOMotorClient(MONGO_DETAILS)
The above line is how I connected to my cluster. I changed the line to:
client = motor.motor_asyncio.AsyncIOMotorClient(MONGO_DETAILS, tls=True, tlsAllowInvalidCertificates=True)
It works as it did earlier there is no issue.
Anyway I would like to know why this error occurs!
I have used kubeadm alpha phase certs to recreate the certificates used in my Kubernetes cluster. Also, use the alpha phase for kubeconfig. Now when trying to join a new worker - it is giving me errors that my token is invalid even when the token has been regenerate 3 times using - kubeadm token create --print-join-command.
The error that I keep getting is:
[discovery] Created cluster-info discovery client, requesting info from "https://x.x.x.x:6443"
[discovery] Failed to connect to API Server "x.x.x.x:6443": token id "bvw4cz" is invalid for this cluster or it has expired. Use "kubeadm token create" on the master node to creating a new valid token
Anyone run into the same problems or have a suggestion?
Thanks!
EDIT--
This is the tail end of /var/log/syslog --
Nov 5 09:40:01 master01 kubelet[755]: E1105 09:40:01.892304 755 kubelet.go:2236] node "master01" not found
Nov 5 09:40:01 master01 kubelet[755]: E1105 09:40:01.928937 755 reflector.go:134] k8s.io/kubernetes/pkg/kubelet/config/apiserver.go:47: Failed to list *v1.Pod: Get https://x.x.x.x:6443/api/v1/pods?fieldSelector=spec.nodeName%3Dkubernetserver&limit=500&resourceVersion=0: x509: certificate signed by unknown authority (possibly because of "crypto/rsa: verification error" while trying to verify candidate authority certificate "kubernetes")
Nov 5 09:40:01 master01 kubelet[755]: E1105 09:40:01.992427 755 kubelet.go:2236] node "master01" not found
EDIT 2 - 1. Now the real question is - if regenerating certs do not enable trust to itself as a CA, how do you fix this problem? 2. Is this a problem that is well known?
composer network install -c adminCard -a hyperledger-fabric-network.bna
Network install commands fails on following error:
Installing business network. This may take a minute...E1115 11:51:11.667324200 30359 ssl_transport_security.cc:599] Could not load any root certificate.
E1115 11:51:11.667359374 30359 ssl_transport_security.cc:1400] Cannot load server root certificates.
E1115 11:51:11.667373715 30359 security_connector.cc:1025] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1115 11:51:11.667384067 30359 secure_channel_create.cc:111] Failed to create secure subchannel for secure name 'ldn-zbc03a.4.secure.blockchain.ibm.com:20355'
E1115 11:51:11.667390697 30359 secure_channel_create.cc:142] Failed to create subchannel arguments during subchannel creation.
E1115 11:51:11.668097853 30359 ssl_transport_security.cc:599] Could not load any root certificate.
E1115 11:51:11.668109600 30359 ssl_transport_security.cc:1400] Cannot load server root certificates.
E1115 11:51:11.668118612 30359 security_connector.cc:1025] Handshaker factory creation failed with TSI_INVALID_ARGUMENT.
E1115 11:51:11.668123679 30359 secure_channel_create.cc:111] Failed to create secure subchannel for secure name 'ldn-zbc03a.4.secure.blockchain.ibm.com:20355'
E1115 11:51:11.668129626 30359 secure_channel_create.cc:142] Failed to create subchannel arguments during subchannel creation.
✖ Installing business network. This may take a minute...
Error: Error trying install business network. Error: No valid responses from any peers.
Response from attempted peer comms was an error: Error: Failed to connect before the deadline
Please check the adminCard. It seems the certification isn't correct.
I have recently installed FreeIPA on RHEL7. This seems to be running well for few hours and then calls to ipa starts to fail with the following error.
ipa: ERROR: No valid Negotiate header in server response
==================================================
[root ~]# ipa -v user-find --all
ipa: INFO: trying https://xxx.xxx.xxx.xxx/ipa/json
ipa: INFO: [try 1]: Forwarding 'user_find/1' to json server 'https://xxx.xxx.xxx.xxx/ipa/json'
ipa: ERROR: No valid Negotiate header in server response
-=================================================
[I have masked the hostnames with 'xxx']
In /var/log/httpd/error_log - I see the following error.
[Thu Dec 14 15:50:23.413286 2017] [auth_gssapi:error] [pid 10694] [client xxx.xxx.xxx.xxx:50198] GSS ERROR In Negotiate Auth: gss_accept_sec_context() failed: [Unspecified GSS failure. Minor code may provide more information ( Request ticket server HTTP/xxx.xxxx.xxxx.xxx#EC2.INTERNAL kvno 2 not found in keytab; keytab is likely out of date)], referer: https://xxx.xxx.xxx.xxx/ipa/xml
What is the possible cause? Looks like some misconfiguration.
I want to use server certificate when connecting with IO::Socket::SSL client.
What I did is to extract certificate first,
openssl s_client -showcerts -connect 127.0.0.1:443 </dev/null 2>/dev/null|openssl x509 -outform PEM >/tmp/localhost.crt
-----BEGIN CERTIFICATE-----
MIID1jCCAr6gAwIBAgICBH8wDQYJKoZIhvcNAQELBQAwgZ8xCzAJBgNVBAYTAi0t
MRIwEAYDVQQIDAlTb21lU3RhdGUxETAPBgNVBAcMCFNvbWVDaXR5MRkwFwYDVQQK
DBBTb21lT3JnYW5pemF0aW9uMR8wHQYDVQQLDBZTb21lT3JnYW5pemF0aW9uYWxV
bml0MRAwDgYDVQQDDAdiaWdnZXIyMRswGQYJKoZIhvcNAQkBFgxyb290QGJpZ2dl
cjIwHhcNMTYwODA0MDUyMTA5WhcNMTcwODA0MDUyMTA5WjCBnzELMAkGA1UEBhMC
LS0xEjAQBgNVBAgMCVNvbWVTdGF0ZTERMA8GA1UEBwwIU29tZUNpdHkxGTAXBgNV
BAoMEFNvbWVPcmdhbml6YXRpb24xHzAdBgNVBAsMFlNvbWVPcmdhbml6YXRpb25h
bFVuaXQxEDAOBgNVBAMMB2JpZ2dlcjIxGzAZBgkqhkiG9w0BCQEWDHJvb3RAYmln
Z2VyMjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALSJplghG5oD5FhU
1v9IkE8z0k/7g1W29GhUXwf7IKzzjplIgpsZ+Ya/OtDbIctSYZ3gNEMyj+LdlvEW
6rCDCSTULPWwdjuSdHmUiFyeJm+QBtnMIp9I3P7zPCd+W9Cyhue911tXCHiQMg+E
ZNi2WlqnBGf/5l6VFRVMxQTEbTRiTPaH9VFnuyCKcJTk9ephZmZRgfeNmXT7BRjG
nmsYa0jG2rh2UmJGQrJhZOZYmghbq1BL66m7yCxfknsjTHGfy7PS/c+K83fPVI0p
bcBgl0VCA7d8TX6xj4BwMec7nwdi95ISVAG3jjL11+lrlcg6UGs+bd+NVpd1PbVY
XwVcWu8CAwEAAaMaMBgwCQYDVR0TBAIwADALBgNVHQ8EBAMCBeAwDQYJKoZIhvcN
AQELBQADggEBAFkWi/C8UlEqXPO0aDrn78teYzh3D0BIuhB4vawDSUuz68Clq41u
bMLIbdWZS244NFLeWAYJf4k0WDk7/nz5pxWLqlDg4LumZxNOUeSWUSbantRn6NnQ
rJrWZi6gJFgeC/34t3k+XvtmbDl5a2L213TxOtnSZJty/ZxUr3v3Z3Dp5+kfTAyR
xlD/gOlAEHgrOjwv1XofVb5pALPjzGj9gAfe/bpMEG4GORgtJzFz/teugL4yZ4Mk
sk6BhIBd1hTWJXUfvH6GPaoieug46CAkolmvc0q2nfMiU+hZOkDE1rtyqS5XMF5t
O2nma+wuMF6z/naEXFPq65sFOHI8vz+oEaQ=
-----END CERTIFICATE-----
and then connect using ssl_client.pl from examples folder,
ssl_client.pl -d10 --ca /tmp/localhost.crt localhost:443
DEBUG: .../IO/Socket/SSL.pm:2757: new ctx 17132992
DEBUG: .../IO/Socket/SSL.pm:643: socket not yet connected
DEBUG: .../IO/Socket/SSL.pm:645: socket connected
DEBUG: .../IO/Socket/SSL.pm:667: ssl handshake not started
DEBUG: .../IO/Socket/SSL.pm:700: using SNI with hostname localhost
DEBUG: .../IO/Socket/SSL.pm:735: request OCSP stapling
DEBUG: .../IO/Socket/SSL.pm:769: call Net::SSLeay::connect
DEBUG: .../IO/Socket/SSL.pm:2658: did not get stapled OCSP response
DEBUG: .../IO/Socket/SSL.pm:2611: ok=0 [0] /C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2/C=--/ST=SomeState/L=SomeCity/O=SomeOrganization/OU=SomeOrganizationalUnit/CN=bigger2/emailAddress=root#bigger2
DEBUG: .../IO/Socket/SSL.pm:772: done Net::SSLeay::connect -> -1
DEBUG: .../IO/Socket/SSL.pm:775: SSL connect attempt failed
DEBUG: .../IO/Socket/SSL.pm:775: local error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: .../IO/Socket/SSL.pm:778: fatal SSL error: SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
DEBUG: ...inux/IO/Socket.pm:49: ignoring less severe local error 'IO::Socket::INET configuration failed', keep 'SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed'
DEBUG: .../IO/Socket/SSL.pm:2779: free ctx 17132992 open=17132992
DEBUG: .../IO/Socket/SSL.pm:2784: free ctx 17132992 callback
DEBUG: .../IO/Socket/SSL.pm:2791: OK free ctx 17132992
failed to connect to localhost:443: ,SSL connect attempt failed error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed at ./ssl_client.pl line 52.
This doesn't work as expected, so please suggest how to properly verify server using locally stored certificate.
While your certificate is self-signed (i.e. signed by itself) it is not a CA:
X509v3 extensions:
X509v3 Basic Constraints:
CA:FALSE
Because it is not a CA it is not allowed to be used as an issuer of a certificate and thus can in theory not even be used to sign itself.
This is at least the logic implemented in OpenSSL (and thus Net::SSLeay, IO::Socket::SSL). Other implementations like NSS seem to work with such certificates probably because they check if the server certificate itself is explicitly trusted. Such a check is different from only checking if it is signed by a trusted CA which is done by using the SSL_ca* options in IO::Socket::SSL (or -CAfile, -CApath arguments in openssl s_client).
Explicitly trusting a specific certificate no matter if it is self-signed, expired, revoked or whatever can be done in IO::Socket::SSL by using the SSL_fingerprint option.
Note that debugging IO::Socket::SSL in this case does not help a lot since the logic in this case is implemented in OpenSSL. There is some small indicator where it is going wrong:
DEBUG: ... ok=0 [0] .../CN=bigger2/emailAddress=root#bigger2 .../CN=bigger2/emailAddress=root#bigger2
This debug statement is called from the verification callback. ok=0 [0] indicates that this callback was called with ok=0 at level certificate level 0, i.e. that the built-in validation of OpenSSL did not consider this certificate as valid.