Puppet ssl errors "SSL_connect return = 1 errno = 0 state = SSLv3 считать сертификат сервера B: проверка сертификата не выполнена"

Question

Я пытаюсь настроить кукольный мастер и puppetdb на том же узле с помощью модуля puppetdb.

Когда я пытаюсь запустить кукольный агент -t, я вижу следующее Erorr

notice: Unable to connect to puppetdb server (ip-10-172-161-25.us-west-1.compute.internal:8081): SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed 
notice: Failed to connect to puppetdb; sleeping 2 seconds before retry 


[root@ip-10-172-161-25 modules]# puppet cert --list --all 
+ "ip-10-172-161-25.us-west-1.compute.internal" (66:37:02:AB:98:C5:CD:28:1C:D3:68:53:13:CC:A1:E5) 
+ "ip-10-196-99-56.us-west-1.compute.internal" (99:C9:7C:A1:1A:FD:3C:27:85:76:C7:5A:6A:D5:F9:79) 
+ "puppettest.eng.com"       (17:4A:B9:D1:48:F2:82:73:7D:7F:1D:55:E4:A1:A6:A0) (alt names: "DNS:ip-10-172-161-25.us-west-1.compute.internal", "DNS:puppet", "DNS:puppettest.eng.com") 


[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppet.conf 
[main] 
    # The Puppet log directory. 
    # The default value is '$vardir/log'. 
    logdir = /var/log/puppet 

    # Where Puppet PID files are kept. 
    # The default value is '$vardir/run'. 
    rundir = /var/run/puppet 

    # Where SSL certificates are kept. 
    # The default value is '$confdir/ssl'. 
    ssldir = $vardir/ssl 
    server = puppettest.eng.com 

[agent] 
    # The file in which puppetd stores a list of the classes 
    # associated with the retrieved configuratiion. Can be loaded in 
    # the separate ``puppet`` executable using the ``--loadclasses`` 
    # option. 
    # The default value is '$confdir/classes.txt'. 
    classfile = $vardir/classes.txt 

    # Where puppetd caches the local configuration. An 
    # extension indicating the cache format is added automatically. 
    # The default value is '$confdir/localconfig'. 
    localconfig = $vardir/localconfig 

[master] 

    certname=puppettest.eng.com 
    dns_alt_names = ip-10-172-161-25.us-west-1.compute.internal,puppettest.eng.com,puppet 

Puppetdb.conf

[root@ip-10-172-161-25 modules]# cat /etc/puppet/puppetdb.conf 
[main] 
server = ip-10-172-161-25.us-west-1.compute.internal 
#server = puppettest.eng.com 
port = 8081 

jetty.in

[jetty] 
# Hostname or IP address to listen for clear-text HTTP. Default is localhost 
# host = <host> 
#host = localhost 
host = localhost 

# Port to listen on for clear-text HTTP. 
port = 8080 


# The following are SSL specific settings. They can be configured 
# automatically with the tool puppetdb-ssl-setup, which is normally 
# ran during package installation. 

# The host or IP address to listen on for HTTPS connections 
#ssl-host = ip-10-172-161-25.us-west-1.compute.internal 
ssl-host = ip-10-172-161-25.us-west-1.compute.internal 

# The port to listen on for HTTPS connections 
ssl-port = 8081 

# Private key path 
ssl-key = /etc/puppetdb/ssl/private.pem 

# Public certificate path 
ssl-cert = /etc/puppetdb/ssl/public.pem 

# Certificate authority path 
ssl-ca-cert = /etc/puppetdb/ssl/ca.pem 

certificate-whitelist = /etc/puppetdb/whitelist.txt 

whitelist.txt

[root@ip-10-172-161-25 modules]# cat /etc/puppetdb/whitelist.txt 
ip-10-172-161-25.us-west-1.compute.internal 
puppettest.eng.com 
localhost 


[root@ip-10-172-161-25 modules]# rpm -qa | grep -i puppet 

puppet-server-2.7.22-1.0.amzn1.x86_64 
puppetlabs-release-5-7.noarch 
puppetdb-terminus-1.4.0-1.el5.noarch 
puppet-2.7.22-1.0.amzn1.x86_64 
puppetdb-1.4.0-1.el5.noarch 
[root@ip-10-172-161-25 modules]# rpm -qa | grep -i ruby 
ruby-libs-1.8.7.374-1.0.amzn1.x86_64 
ruby-1.8.7.374-1.0.amzn1.x86_64 
ruby-augeas-0.4.1-1.3.amzn1.x86_64 
[root@ip-10-172-161-25 modules]# 

Я устал несколько раз отменяю мастер-сертификат и создал новый, не повезло

Answer 1

Пробная кукла-купе-ssl-setup -f, которая позаботилась о сертификате missmatch.

больше деталей в https://groups.google.com/forum/#!topic/puppet-users/VqpGAxw7-Fo

Спасибо Кену за помощь