Puppet users - Dec 2009 - SSL_connect SYSCALL returned=5

During puppet catalog runs, I sometimes (~ 10%) get the following
message:

Failed to retrieve current state of resource: SSL_connect SYSCALL
returned=5 errno=0 state=SSLv2/v3 read server hello A

Has anyone else ran into this?  I am running puppet 0.25.1 on Solaris
9 and 10.  Let me know what other info you need to help debug...

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi,

During puppet catalog runs, I sometimes (~ 10%) get the
following
> message:
>
> Failed to retrieve current state of resource: SSL_connect SYSCALL
> returned=5 errno=0 state=SSLv2/v3 read server hello A
>
> Does this problem still persist? Is it always on the same clients? What
webserver are you using (webbrick?) What OS is the puppet server running on?

thanks,

-Dan
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>
--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> > Does this problem still persist?
yes
> > Is it always on the same clients?
It has happened on every client except (I think) the puppet server
itself.  The clients are Solaris 10 boxes with a mix of sparc and
i386.  It seems to be happening about 10x more on one particular
client, but I think that is explained by the fact that catalog runs
take much longer on that box due to a module that is only being
applied to it.
> > What webserver are you using (webbrick?)
Yes, though this will probably change soon due to what I have read in
the Puppet Scalability Notes.  We currently have only deployed puppet
to 5 nodes, but plan on managing more than 50 nodes.
> > What OS is the puppet server running on?
Solaris 10

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

JL wrote:
>>> Does this problem still persist?
>>>       
> yes
>
>   
>>> Is it always on the same clients?
>>>       
> It has happened on every client except (I think) the puppet server
> itself.  The clients are Solaris 10 boxes with a mix of sparc and
> i386.  It seems to be happening about 10x more on one particular
> client, but I think that is explained by the fact that catalog runs
> take much longer on that box due to a module that is only being
> applied to it.
>
>   
>>> What webserver are you using (webbrick?)
>>>       
> Yes, though this will probably change soon due to what I have read in
> the Puppet Scalability Notes.  We currently have only deployed puppet
> to 5 nodes, but plan on managing more than 50 nodes.
>
>   
>>> What OS is the puppet server running on?
>>>       
> Solaris 10
>   
Just a suggestion: does this happen on nodes that have the same version 
of openssl?

I''m not really sure if the local puppet connection is encrypted or not 
(ie puppetd<->puppetmaster on the server).


Silviu

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Tue, Dec 29, 2009 at 9:31 PM, JL <jlyman2@gmail.com> wrote:
> > > Does this problem still persist?
> yes
>
> > > Is it always on the same clients?
> It has happened on every client except (I think) the puppet server
> itself.  The clients are Solaris 10 boxes with a mix of sparc and
> i386.  It seems to be happening about 10x more on one particular
> client, but I think that is explained by the fact that catalog runs
> take much longer on that box due to a module that is only being
> applied to it.
>
> > > What webserver are you using (webbrick?)
> Yes, though this will probably change soon due to what I have read in
> the Puppet Scalability Notes.  We currently have only deployed puppet
> to 5 nodes, but plan on managing more than 50 nodes.
>
> > > What OS is the puppet server running on?
> Solaris 10
>
can you recreate with

#>puppetd --test --debug --trace

then post the output

thanks,

Dan
>
>
--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> I''m not really sure if the local puppet connection is encrypted or
not
> (ie puppetd<->puppetmaster on the server).
the only unencrypted connection of puppet is during the cert exchange,
everything else is encrypted.

cheers pete
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEUEARECAAYFAks7hr0ACgkQbwltcAfKi386sgCYxLfhSFer2fMOOAfpmId4n4/L
GQCdHkFWNXKKI3S55ZI2Ug6a1/W83YQ=4VCg
-----END PGP SIGNATURE-----

--

You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

> can you recreate with
>
> #>puppetd --test --debug --trace
>
> then post the output
I don''t have a debug trace, but I can tell you that I switched from
webrick to mongrel with nginx and my problem went away.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.