Puppet users - Sep 2009 - Puppetrun does not work with certificate error.

Hi.
I have a trouble that puppetrun does not work, because of sslv3
certificate error.
So could you tell me what I should do to make puppet work well.

[Environment]
Puppetmasterd
 -version:0.23.2
 -OS:Redhat3 EL AS

Puppetd
 -version:0.23.2
 -OS:Redhat4.5 EL AS

[What I did & problem detail]
1.Install Redhat4.5 EL AS to puppetd host.

2.Install puppetd package to puppetd host and start puppetd.

3.Confirm that puppetd connects with puppetmasterd.
puppetmasterd[1984]: Allowing unauthenticated client hostname
(xxx.xxx.xxx.xxx) access to puppetca.getcert

4.Run puppetrun command and exit with error.
$ puppetrun --host hostname --tag base
Failed to load ruby LDAP library. LDAP functionality will not be
available
Triggering hostname
Host hostname failed: Certificates were not trusted: sslv3 alert bad
certificate
hostname finished with exit code 2
Failed: hostname

I used puppet for about two years in this way.
this error occured only this puppetd host.
So I can''t figure out...

Nobuchika Tanaka

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Nobuchika Tanaka wrote:
> Hi.
> I have a trouble that puppetrun does not work, because of sslv3
> certificate error.
> So could you tell me what I should do to make puppet work well.
>
> [Environment]
> Puppetmasterd
>  -version:0.23.2
>  -OS:Redhat3 EL AS
>
> Puppetd
>  -version:0.23.2
>  -OS:Redhat4.5 EL AS
>
> [What I did & problem detail]
> 1.Install Redhat4.5 EL AS to puppetd host.
>
> 2.Install puppetd package to puppetd host and start puppetd.
>
> 3.Confirm that puppetd connects with puppetmasterd.
> puppetmasterd[1984]: Allowing unauthenticated client hostname
> (xxx.xxx.xxx.xxx) access to puppetca.getcert
>
> 4.Run puppetrun command and exit with error.
> $ puppetrun --host hostname --tag base
> Failed to load ruby LDAP library. LDAP functionality will not be
> available
> Triggering hostname
> Host hostname failed: Certificates were not trusted: sslv3 alert bad
> certificate
> hostname finished with exit code 2
> Failed: hostname
>
> I used puppet for about two years in this way.
> this error occured only this puppetd host.
> So I can''t figure out...
>
> Nobuchika Tanaka
>
> >   
Never encountered this error before. Try cleaning up the /var/puppet/ssl 
directory and make sure that the puppetmaster and puppet client have 
different names. No other ideas.

Silviu

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On 24 sep, 11:19, Nobuchika Tanaka <n06uc...@gmail.com> wrote:
> [What I did & problem detail]
> 1.Install Redhat4.5 EL AS to puppetd host.
>
> 2.Install puppetd package to puppetd host and start puppetd.
>
> 3.Confirm that puppetd connects with puppetmasterd.
> puppetmasterd[1984]: Allowing unauthenticated client hostname
> (xxx.xxx.xxx.xxx) access to puppetca.getcert
Did you sign the certificate request on the puppetmaster ?

puppetca --list

puppetca --sign <fqdn>
> I used puppet for about two years in this way.
> this error occured only this puppetd host.
> So I can''t figure out...
OK, so I''ll assume you''ve signed the certificate ! ;-)
Is the time/date set correctly on the puppet client (and everywhere
else) ?
openssl doesn''t like certificates signed in the future, for example.

--
Calimero
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Thank you for replying, Calimero.

I could sovled this issue, because you pointed out following:
> Is the time/date set correctly on the puppet client (and everywhere
> else) ?
I compared puppetd host''s time/date with puppetmasterd host''s
one and
found that puppetd host was wrong.

[Puppetmasted host]
Sep 18 08:38:46 2009 GMT

[Puppetd host]
Jan 1 08:38:46 2002 GMT

I googled about this issue and I found a ssl certificate had a
validity period.
I checked a certificate ot my puppetd host.

$ openssl x509 -text -in /etc/puppet/ssl/ca/signed/hostname.pem
Validity
Not Before: Sep 18 08:38:46 2009 GMT
Not After  : Sep 17 08:38:46 2014 GMT
#This period is based on puppetmasterd host time/date.

Puppetd host tume/date is outside for a validity period.
This cause this issue.

After I adjust puppetd host''s time/date, puppetrun work well.

Thank you for your cooperation.
Nobuchika Tanaka
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Thank you for replying, Silviu.

I could sovled this issue.

Thank you for your cooperation.
Nobuchika Tanaka
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---