puppet ssl failed with message "unknown ca"

Question

I've tried to build a master/agent system with puppet. My master host name is snspay.cn, I followed the document, and everything was right until I tried to get the catalog from the master. My command is

puppet agent --server snspay.cn --no-daemonize --test onetime --verbose

and the output from the agent

Error: Could not request certificate: SSL_connect returned=1 
errno=0 state=SSLv3 read server certificate B: certificate verify
failed: [self signed certificate in certificate chain for /CN=Puppet
CA: snspay.cn]

and the master's log is like

[2014-08-11 14:39:14] ERROR OpenSSL::SSL::SSLError: SSL_accept 
returned=1 errno=0 state=SSLv3 read client certificate A: tlsv1 
alert unknown ca

I think it is wrong with the ssl instead of puppet it self, but I'm not very familiar with ssl, any ideas?

---

well I have added another agent node(ubuntu) with a total different environment and everything is so well, so the problems is with the original agent node, I am now running yum update in that node and try later

Answer 1

Your agent has not established trust with the master.

What basically needs to happen is for the agent to import the master's CA certificate to the agent. However, since the agent's cert is obviously signed by an obsolete CA, you will have to replace all SSL data.

On the agent, find the $ssldir (usually /var/lib/puppet/ssl) using

puppet agent --configprint ssldir

and rename or remove it.

Upon the next puppet agent --test run, the agent should request a new certificate, and cache th correct CA.