There’s an annoying and confusing error that can come up from time to time when performing a Puppet update from the client. In particular when running the update for the first time.
It looks like this:
# puppetd --test err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run
This is saying that the verification check of the certificate against the keys has failed.
This could mean one of two things. The most common reason, particularly with a newly kickstarted host is that the discrepancy is too large between the time on the client and Puppet server. Or, the certificate on the client just needs to be regenerated.
Check the Date
Simply confirm this with the
date command on both :
# date Wed May 2 12:34:00 BST 2012
And either update manually, or using the
The second reason is that the certificate on the client doesn’t match that on the server. The easiest way to remedy this is to clear both certificates and start again like this:
Remove client certificate
Remove all SSL information from the Puppet client configuration:
# find /var/lib/puppet -type f -print0 |xargs -0r rm
Clean from server the client certificate
Where the fully-qualified domain name of the problematic client is “client.example.com”:
# puppetca --clean
Re-execute client Puppet run
Rerun the Puppet client update:
# puppetd --test
If all goes well, the Puppet client should successfully verify its certificate and accept the updates, as it should.
Matt Parsons is a freelance Linux specialist who has designed, built and supported Unix and Linux systems in the finance, telecommunications and media industries.
He lives and works in London.