Error: Could not run: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

Question

I am trying to copy a current Puppet Master server on one domain and move it to another. Im finding that its very hard to try to change all the config remanence. Is there an easy way to do this, or a step by step best practice? I have grepped most of the old fqdn name and changed it to the new one, yet when I delete all certs, and re-issue new ones on the master, it wants to keep pulling a cert for the old FQDN.

Edit 1: I have resolved many of the issues I was previously getting. However I can not get past this SSL issue for the life of me.

[root@puppet lib]# puppet resource service apache2 ensure=running
Error: Could not run: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [unable to get local issuer certificate for /CN=puppet.foundry.test]

I have attempted to completely purge all certs from the master, using this link, and then regenerate all. But I still keep getting the same errors:

Error: Could not run: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A

Now Im not sure if I am having puppet SSL issues, or SSL issues in general.

Answer 1

Make sure that you are running puppet as root, or with sudo. I have received this exact error when I was my normal user and ran "puppet agent -t" without elevating my privileges.

Answer 2

What puppet isn't telling you is that there is a cert mismatch. The master disconnects as soon as it determines that the cert is invalid or a mismatch. Because the disconnect is so sudden, puppet isn't told why it happens.

When this happens puppet could, for example, change that error message to be, "Hey! Here's a list of things you might check." and then suggest things like verify the cert expiration date, cert mismatch, etc. However why would anyone do that?

Here's one way you can get into this situation: Set up two puppet client machines with the same name by mistake. The second machine to use that name will work, but the first machine will no longer work.

How might someone get into that situation? Two machines can't have the same name! Of course not. But we have seen situations like this:

• Machine A, B, C, D, E are all Puppet clients.
• Machine C gets wiped and reloaded. The technician accidentally calls it "B". To get it working with Puppet, they "puppet cert clean B".
• The technician realizes their mistake and reconfigures machine C with the proper name, performs "puppet cert clean C", and machine C now works fine.
• A week later someone notices that machine B hasn't been able to talk to the master. It gets this error message. After hours of debugging they see that the client cert has one serial number but the master expects that client to have a very different serial number. Machine B's cert is cleaned, regenerated, etc. and everything continues.

Should Puppet Labs update the error message to hint that this may be the problem? They could, but then I wouldn't get rep points for writing this awesome answer. Besides, technicians should never make such a mistake, so why handle a case that obviously should never happen... except when it does.

Answer 3

Most likely you're connecting to a wrong server (default is hostname puppet).

Check your agent's config, you're mostly interested in server variable

puppet config print --section agent | grep "server = "

Also it's good to know where is puppet agent looking for its config:

$ puppet config print --section agent | grep "^config = "
config = /etc/puppetlabs/puppet/puppet.conf

Edit your config, set correct puppet master:

[agent]
server=puppet4.example.com

Just for sure, you can clean your cerfificate (on agent):

find /etc/puppetlabs/puppet/ssl -name $(hostname -f).pem -delete

on puppet server:

puppet cert clean {broken hostname}

And finally run puppet agent -t

Answer 4

1. You can use this link: http://bitcube.co.uk/content/puppet-errors-explained
2. Did you try to change the puppet master dns?
3. Try looking if the puppet master cert is the same as what you are writing in server on the node. If not you can always use dns_alt_names = puppet_hostname.your_domain and all the names you want for the puppet master & CA.

Then try to restart the puppet master service, clean the slave certname from the master, remove all /var/lib/puppet/ssl/ folder from the slave, and run puppet again.