Hi - I a ran puppetd -vt against a brand newly build host (which is what I normally do for a new host) and got the usual message: err: No certificate; running with reduced functionality. info: Creating a new certificate request for sega-dev-1. info: Requesting certificate On the puppetmaster, I then list the waiting host with: puppetca --list then sign the key. In this case, I decided that the domain for the host was not correct so I did not sign the cert and went to /etc/puppet/ssl/ca and removed the waiting key from /etc/puppet/ssl/ca/requests and then re-ran puppetd -vt again. Since then, the master has been unable to see the certificate from the puppet client. It''s not something on the client as I got to the point where I rebuilt it, completely from scratch. However, I just can''t get puppetmaster to "see" this host''s certificate! What can I do in this instance? I''ve tried: puppetca --clean going through /etc/puppet/ssl and nuking any reference to the host name. Pretty much nothing works. I guess that if I gave the host another name then this would be fine but why should I have to? I''m really stumped.
In fact, further to this, I''m completely unable to see ANY new certificate! Something seems to have gone badly wrong on the puppet master. I''ve tried moving the /etc/puppet/ssl dir and then restarting puppetmaster but this does not help. I''m wondering what I need to do to nuke everything and start again for ssl? On 09/10/2007, Stephen Tan <stan@stanandliz.net> wrote:> Hi - I a ran puppetd -vt against a brand newly build host (which is > what I normally do for a new host) and got the usual message: > > err: No certificate; running with reduced functionality. > info: Creating a new certificate request for sega-dev-1. > info: Requesting certificate > > On the puppetmaster, I then list the waiting host with: puppetca > --list then sign the key. In this case, I decided that the domain for > the host was not correct so I did not sign the cert and went to > /etc/puppet/ssl/ca and removed the waiting key from > /etc/puppet/ssl/ca/requests and then re-ran puppetd -vt again. > > Since then, the master has been unable to see the certificate from the > puppet client. > > It''s not something on the client as I got to the point where I rebuilt > it, completely from scratch. However, I just can''t get puppetmaster to > "see" this host''s certificate! > > What can I do in this instance? I''ve tried: > > puppetca --clean > going through /etc/puppet/ssl and nuking any reference to the host name. > > Pretty much nothing works. I guess that if I gave the host another > name then this would be fine but why should I have to? I''m really > stumped. >
On Oct 9, 2007, at 10:40 AM, Stephen Tan wrote:> In fact, further to this, I''m completely unable to see ANY new > certificate! Something seems to have gone badly wrong on the puppet > master.Are you sure the master and you are looking in the same place for ssl? When you run ''sudo puppetmasterd --configprint ssldir'' and ''sudo puppetca --configprint ssldir'', do you get the same values? Is that where you''re looking for certs? -- The Internet, of course, is more than just a place to find pictures of people having sex with dogs. -- Time Magazine, 3 July 1995 --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 09/10/2007, Luke Kanies <luke@madstop.com> wrote:> On Oct 9, 2007, at 10:40 AM, Stephen Tan wrote: > > > In fact, further to this, I''m completely unable to see ANY new > > certificate! Something seems to have gone badly wrong on the puppet > > master. > > Are you sure the master and you are looking in the same place for ssl? > > When you run ''sudo puppetmasterd --configprint ssldir'' and ''sudo > puppetca --configprint ssldir'', do you get the same values? Is that > where you''re looking for certs?Hi Luke Thanks for the quick reply. Yes, the two dirs match up. FAI-1:/etc/puppet/ssl/ca# puppetca --configprint ssldir /etc/puppet/ssl FAI-1:/etc/puppet/ssl/ca# puppetmasterd --configprint ssldir /etc/puppet/ssl Nothing''s changed on the master. All that''s happened is that I deleted a key from the request dir. After that, everything went wrong. I''m running puppet 20.1 on a Debain Etch distribution if that means anything! I''ve backed up the manifests directory, purged puppet and puppetmaster. However, when I reinstall puppet and then restore the manifests dir Puppet still says there are no keys to sign. Thanks for you help anyway. I''ll post any fixes to the problem.
On Oct 9, 2007, at 1:51 PM, Stephen Tan wrote:> > Hi Luke > > Thanks for the quick reply. > > Yes, the two dirs match up. > > FAI-1:/etc/puppet/ssl/ca# puppetca --configprint ssldir > /etc/puppet/ssl > FAI-1:/etc/puppet/ssl/ca# puppetmasterd --configprint ssldir > /etc/puppet/ssl > > Nothing''s changed on the master. All that''s happened is that I > deleted a key from the request dir. After that, everything went wrong. > > I''m running puppet 20.1 on a Debain Etch distribution if that means > anything! > > I''ve backed up the manifests directory, purged puppet and > puppetmaster. However, when I reinstall puppet and then restore the > manifests dir Puppet still says there are no keys to sign. > > Thanks for you help anyway. I''ll post any fixes to the problem.There''s something weird going on. This is pretty fundamental behaviour, so I think there''s something unique about your setup that isn''t obvious. You''re using a relatively old version, but it''s also a relatively stable one, so I doubt that''s the problem. Maybe try doing an strace on the master to see where it stores the cert request? Is the servering logging that it''s storing the request? -- Zeilinger''s Fundamental Law: There is no Fundamental Law. --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 10/10/2007, Luke Kanies <luke@madstop.com> wrote:> On Oct 9, 2007, at 1:51 PM, Stephen Tan wrote: > > > > Hi Luke > > > > Thanks for the quick reply. > > > > Yes, the two dirs match up. > > > > FAI-1:/etc/puppet/ssl/ca# puppetca --configprint ssldir > > /etc/puppet/ssl > > FAI-1:/etc/puppet/ssl/ca# puppetmasterd --configprint ssldir > > /etc/puppet/ssl > > > > Nothing''s changed on the master. All that''s happened is that I > > deleted a key from the request dir. After that, everything went wrong. > > > > I''m running puppet 20.1 on a Debain Etch distribution if that means > > anything! > > > > I''ve backed up the manifests directory, purged puppet and > > puppetmaster. However, when I reinstall puppet and then restore the > > manifests dir Puppet still says there are no keys to sign. > > > > Thanks for you help anyway. I''ll post any fixes to the problem. > > There''s something weird going on. This is pretty fundamental > behaviour, so I think there''s something unique about your setup that > isn''t obvious. > > You''re using a relatively old version, but it''s also a relatively > stable one, so I doubt that''s the problem. > > Maybe try doing an strace on the master to see where it stores the > cert request? Is the servering logging that it''s storing the request? > > -- > Zeilinger''s Fundamental Law: > There is no Fundamental Law. > --------------------------------------------------------------------- > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >Hi Luke Maybe try doing an strace on the master to see where it stores the cert request? Is the servering logging that it''s storing the request? Wow. I''ve not used strace before and it spews a LOT of output! The reason for this is because for some reason, /usr/local/lib/site_ruby/1.8/i486-linux/ is referenced for a LONG time before it goes to /usr/lib. I''ve filtered the output through grep 64 | grep -v /usr/local to get some sort of relevant output. Please find it attached. I can see nothing weird about any file locations for certificates. I''m going to download a source version of the latest stable version and see if this makes a difference. Stephen _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
Luke - in order to help me debug this issue from a more basic level, I was wondering if it would be possible to give a brief summary of what happens between client and server when a puppet client requests a certificate? I can then go through and follow this to see where this process might be failing. I''m afraid that I can''t find any meaningful documentation for this on the ReductiveLabs site. many thanks Stephen
On Oct 12, 2007, at 4:06 AM, Stephen Tan wrote:> Wow. I''ve not used strace before and it spews a LOT of output! The > reason for this is because for some reason, > /usr/local/lib/site_ruby/1.8/i486-linux/ is referenced for a LONG time > before it goes to /usr/lib. > > I''ve filtered the output through grep 64 | grep -v /usr/local to get > some sort of relevant output. Please find it attached. I can see > nothing weird about any file locations for certificates.Looks like it''s finding a cert in /etc/puppet/ssl/certs, but I don''t see it looking for any requests at all.> I''m going to download a source version of the latest stable version > and see if this makes a difference.I can''t imagine it will; certs have been stable for ages. -- Puritanism: The haunting fear that someone, somewhere, may be happy. -- H. L. Mencken --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On Oct 12, 2007, at 7:59 AM, Stephen Tan wrote:> Luke - in order to help me debug this issue from a more basic level, I > was wondering if it would be possible to give a brief summary of what > happens between client and server when a puppet client requests a > certificate? I can then go through and follow this to see where this > process might be failing.The client creates a certificate request and sends it to the server. If autosign is enabled, the server signs it and sends the signed cert back, writing the cert to disk, also. If autosign is not enabled, it writes the request to the csrdir. The user then signs the cert using puppetca --sign. The client then requests the cert again, this time getting the signed cert.> I''m afraid that I can''t find any meaningful documentation for this on > the ReductiveLabs site.Hopefully someone will put this info in a useful place on the wiki, then (hint, hint). -- My favorite was a professor at a University I Used To Be Associated With who claimed that our requirement of a non-alphabetic character in our passwords was an abridgement of his freedom of speech. -- Jacob Haller --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
On 13/10/2007, Luke Kanies <luke@madstop.com> wrote:> On Oct 12, 2007, at 4:06 AM, Stephen Tan wrote: > > > Wow. I''ve not used strace before and it spews a LOT of output! The > > reason for this is because for some reason, > > /usr/local/lib/site_ruby/1.8/i486-linux/ is referenced for a LONG time > > before it goes to /usr/lib. > > > > I''ve filtered the output through grep 64 | grep -v /usr/local to get > > some sort of relevant output. Please find it attached. I can see > > nothing weird about any file locations for certificates. > > Looks like it''s finding a cert in /etc/puppet/ssl/certs, but I don''t > see it looking for any requests at all. > > > I''m going to download a source version of the latest stable version > > and see if this makes a difference. > > I can''t imagine it will; certs have been stable for ages. >Luke wrote:> Looks like it''s finding a cert in /etc/puppet/ssl/certs, but I don''t > see it looking for any requests at all.Ah - I am an absolute idiot. This is NOT a Puppet issue but a routing issue. It''s a long story and rather embarrasing. Needless to say, once I''d corrected my routing, puppetca saw the certificate immediately. thanks for your help! Stephen