I am using puppet with cobbler and I am having a problem with certificate signing. I have configured so that cobbler will revoke the puppet client certificate when a puppet managed machine is reinstalled. The revoking part runs just fine and puppetmaster listed out a the new client certificate, but puppetmaster failed to sign it, thus puppet client failed to run.
This is the output when I listed all the certificates on puppet master:
# puppet cert list -a
+ "spacewalk" (SHA256) E3:63:F1:9A:10:1E:AD:20:72:DA:17:0E:0F:EB:F5:2B:9E:7E:26:80:8D:58:2E:28:A2:2D:68:01:F7:BD:A8:B3 (alt names: "DNS:puppet", "DNS:puppet.playground.local", "DNS:spacewalk")
- "p1.playground.local" (SHA256) CD:AD:3E:04:04:C0:84:88:A0:67:F7:56:57:F1:67:82:43:31:CE:37:71:10:01:AD:15:DE:5A:0E:2E:7C:63:DE (unable to get local issuer certificate)
This is the error when I ran puppet agent -t on puppet client:
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
This is the error when I try to get the master to sign the certificate:
# puppet cert sign p1.playground.local
Error: Could not find certificate request for p1.playground.local
This is the error after running puppet agent -t, upon revoking the certificate:
# puppet agent -t
info: Creating a new SSL key for p1.playground.local warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for p1.playground.local
info: Certificate Request fingerprint (md5): 65:F0:6D:8D:66:89:57:13:11:A6:DD:02:DF:DC:C1:7B warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Could not intern from s: nested asn1 error Exiting; failed to retrieve certificate and waitforcert is disabled
I removed the /var/lib/puppet/ssl directory at the client, rerun puppet agent -t and I got the same error as above.
Finally I tried to remove the /var/lib/puppet/ssl directory on both master and client, regenerate the certificates and all is good. Even though I can just remove the ssl directory everytime before I start with the auto installation, but it would be great if I don't have to do it manually.
Any help is appreciated.
Thanks.
Related
Connection String:
Data Source=<server>,<port>;Initial Catalog=<database>;User Id=<username>;
Password=<password>?;MultipleActiveResultSets=true;Encrypt=True;
TrustServerCertificate=false;Integrated Security=false;Trusted_Connection=true;
Connection Timeout=30;
My connection string contains:
TrustServerCertificate=false
and I get this error:
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The certificate chain was issued by an authority that is not trusted.)
When I have a connection string with this:
TrustServerCertificate=true
I get:
Login failed for user '<username>'. // <-- real username removed
The EF Core 7.0 breaking changes addresses this. https://learn.microsoft.com/en-us/ef/core/what-is-new/ef-core-7.0/breaking-changes
There are three ways to proceed:
Install a valid certificate on the server. Note that this is an
involved process and requires a obtaining a certificate and ensuring
it is signed by an authority trusted by the client.
If the server has a certificate, but it is not trusted by the
client, thenTrustServerCertificate=True to allow bypassing the normal
trust mechanims.
Explicitly add Encrypt=False to the connection string.
I received same error when try a "Scaffold" command into a Nuget Console. The version Of Microsoft.EntityFrameworkCore.Tools and Microsoft.EntityFrameworkCore.SQLServer was 7.0.0.
Then I downgrade this two package to the 6.0.9 version and all works fine.
I try to update git version in AzureDevOps agent server by command git update-git-for-windows
but get an error:
PS C:\Program Files\Git> git update-git-for-windows
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
PS C:\Program Files\Git> git update-git-for-windows
curl: (60) SSL certificate problem: self signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html
curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
I have a RootCA.crt in the config:
[user]
name = tfsbuild
email = tfsbuild#XXX
[http]
sslCAInfo = C:/Users/tfsbuild/RootCA.crt
EDIT:
The Solution is:
add CURL_CA_BUNDLE to user variables with the special certificate.
I usually dump my mongodb database using this command and it works perfectly:
mongodump --uri mongodb+srv://name:password#cluster0.fklgt.mongodb.net/database_name --archive="dump-copy-name" --forceTableScan
However, I have been trying to dump different databases and it just keeps logging this:
2021-06-21T18:43:39.206+0100 error dialing
cluster0-shard-00-00.fklgt.mongodb.net:27017: SSL errors: SSL
routines:ssl3_get_server_certificate:certificate verify failed
Any idea what's going-on?
The mongodump tool does not implicitly trust your system certificate store. You will need to pass it the root CA certificate so that it can validate the cluster's certificate.
To find out which certificate is the root, use openssl:
openssl s_client -connect cluster0-shard-00-00.fklgt.mongodb.net:27017
The output should include a certificate chain section like:
---
Certificate chain
0 s:/C=US/ST=New York/L=New York/O=MongoDB, Inc./CN=*.mongodb.com
i:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
1 s:/C=US/O=DigiCert Inc/CN=DigiCert SHA2 Secure Server CA
i:/C=US/O=DigiCert Inc/OU=www.digicert.com/CN=DigiCert Global Root CA
---
(this is an example, test with your cluster to get the real certificates)
The highest numbered certificate in the chain should be the root. Once you have that, google for the CN part (in my example that was "DigiCert SHA2 Secure Server CA"), and you should find a link to download the certificate.
The root should be one of the two listed here: https://docs.atlas.mongodb.com/reference/faq/security/#hard-coded-certificate-authority
Once you have the root certificate in .pem format, use the command line option --sslCAFile=<filename> to pass it to mongodump.
When accessing a URL in my LAN using the web browser, I get a certificate error message:
In Firefox:
Warning: Potential Security Risk Ahead
In Internet Explorer:
This site is not secure
I download the certificate and import it using Windows Powershell as admin:
> certutil -addstore -enterprise -f "Root" .\certificate.pem
Root "Trusted Root Certification Authorities"
Signature matches Public Key
Certificate "Certificate" added to store.
CertUtil: -addstore command completed successfully.
The issue isn't solved.
If I ping to the IP address, I get a response. However, if I telnet to the IP:port using Putty, I get a pop-up window with the following error message:
Remote side unexpectedly closed network connection
How can I get my computer to accept the certificate?
I installed a new Puppet Server (Version 6.11) on CentOS 8 to get rid of our old 3.8 Installation on CentOS 6.
After the migration of all of our modules and testing them on a CentOS 7 and 8 Server, I now wanted to add the Puppet Server itself as a node.
While the CentOS 7 and 8 Testserver are running fine, I am not able to get the puppet Server itself running as also a puppet client.
I added it as a node with just one Module and tried to run puppet agent:
[root#puppetmaster /]# puppet agent --test --server puppetmaster.th
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetmaster.th
Info: Certificate Request fingerprint (SHA256): E8:F3:69:50:53:43:32:4F:D8:D1:EF:18:17:98:70:15:3C:3B:B6:A1:6B:CA:0F:F0:A4:C3:EF:FE:3B:C5:3C:01
Error: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
Error: Could not run: certificate verify failed [unable to get certificate CRL for CN=puppetmaster.th]
I tried deleting the Certs in /opt/puppetlabs/puppet/ssl/ as well as in /etc/puppetlabs/puppet/ssl and /etc/puppetlabs/puppet/sslmaster/.
I always get the same result. Looking into puppetserver ca list --all I get a 3 existing Server:
Signed Certificates:
centos7.th (SHA256) A8:EF:33:B6:92:F2:B7:42:DA:F8:B3:B5:67:DD:5A:68:6E:C1:40:97:23:B7:35:7C:A4:36:52:EB:3A:0D:C9:7F
centos8.th (SHA256) 35:CE:E7:7D:44:5B:93:C0:80:44:DB:75:BE:9C:CF:04:81:02:00:D7:49:D7:51:52:47:38:CA:E6:77:1D:01:19
puppetmaster.th (SHA256) 7E:F5:A4:24:47:F6:90:2D:54:BB:D0:A9:5E:EF:B8:61:C9:E9:D4:7F:AE:68:82:7A:6A:C3:13:F9:21:72:3F:3F alt names: ["DNS:puppetmaster.th", "DNS:puppetmaster", "DNS:puppetmaster.th"] authorization extensions: [pp_cli_auth: true]
The 2 Testservers are still running fine (besides I had to of course add them again after deleting all certs).
Now I am a little confused how to add the puppet server itself as a working agent (which does work fine in the old setup).