May 022012
 

There’s an annoying and confusing error that can come up from time to time when performing a Puppet update from the client. In particular when running the update for the first time.

It looks like this:

# puppetd --test
err: Could not retrieve catalog from remote server: 
SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: 
certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
 

This is saying that the verification check of the certificate against the keys has failed.

Solution

This could mean one of two things. The most common reason, particularly with a newly kickstarted host is that the discrepancy is too large between the time on the client and Puppet server. Or, the certificate on the client just needs to be regenerated.

Check the Date

Simply confirm this with the date command on both :

  # date
  Wed May 2 12:34:00 BST 2012

And either update manually, or using the ntpdate command.

The second reason is that the certificate on the client doesn’t match that on the server. The easiest way to remedy this is to clear both certificates and start again like this:

Remove client certificate

Remove all SSL information from the Puppet client configuration:

  # find /var/lib/puppet -type f -print0 |xargs -0r rm

Clean from server the client certificate

Where the fully-qualified domain name of the problematic client is “client.example.com”:

  # puppetca --clean 
 

Re-execute client Puppet run

Rerun the Puppet client update:

  # puppetd --test

If all goes well, the Puppet client should successfully verify its certificate and accept the updates, as it should.


Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.

He lives and works in London.