Jamie
2010-Jan-18 19:40 UTC
[Puppet Users] SSL Issues when Puppet master and client are on the same machine
Hi I''ve searched high and low for the answer to this but can''t find any relevant solutions. I know that when the master and client are on different hosts it''s pretty simple to solve most SSL issues... 1) stop puppetd on the client 2) Clean the cert on the master - puppetca --clean <host> 3) Recursively delete /etc/puppet/ssl on the client 4) Restart puppetd on the client This approach does not work when the master and client are on the same machine, I''ve tried it (stopping puppetmasterd also before deleting) I got into this situation by doing puppetca --clean --all on the puppetmaster (yeah, probably shouldn''t have done that). All other Puppet clients are working fine after that command. Anyone got any ideas? Thank you Puppet 0.25.1 CentOS 5.3 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Scott Smith
2010-Jan-18 20:00 UTC
Re: [Puppet Users] SSL Issues when Puppet master and client are on the same machine
On 1/18/10 11:40 AM, Jamie wrote:> Hi > > I''ve searched high and low for the answer to this but can''t find any > relevant solutions. I know that when the master and client are on > different hosts it''s pretty simple to solve most SSL issues... >Sounds like you might need to split some parameters up from [main] to [puppetd] and [puppetmasterd] Post your puppet.conf? -scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jamie
2010-Jan-18 21:11 UTC
[Puppet Users] Re: SSL Issues when Puppet master and client are on the same machine
Oh! You''re probably right :) Can you elaborate or point me in the right direction? [main] # Default (/var/puppet/log) logdir = /var/log/puppet # Default (/var/puppet/run) rundir = /var/run/puppet # Default (/etc/puppet/modules:/usr/share/puppet/modules) modulepath = /etc/puppet/modules # How often (in seconds) puppetd connects to the master (default: 1800) runinterval = 900 # Whether to flush logs to disk immediately autoflush = true # Needed for reverse proxy ssl_client_header = HTTP_X_SSL_SUBJECT # For external nodes via cobbler "systems" external_nodes = /usr/bin/cobbler-ext-nodes node_terminus = exec On Jan 18, 12:00 pm, Scott Smith <sc...@ohlol.net> wrote:> On 1/18/10 11:40 AM, Jamie wrote: > > > Hi > > > I''ve searched high and low for the answer to this but can''t find any > > relevant solutions. I know that when the master and client are on > > different hosts it''s pretty simple to solve most SSL issues... > > Sounds like you might need to split some parameters up from [main] to [puppetd] and [puppetmasterd] > > Post your puppet.conf? > > -scott-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Scott Smith
2010-Jan-18 21:29 UTC
Re: [Puppet Users] Re: SSL Issues when Puppet master and client are on the same machine
On 1/18/10 1:11 PM, Jamie wrote:> Oh! You''re probably right :) Can you elaborate or point me in the > right direction? >Umm, you don''t have [puppetd] and [puppetmasterd] sections? At the bare minimum, you probably need to tell puppetmasterd and puppetd to use different hostnames. http://docs.reductivelabs.com/references/latest/configuration.html Check out certname. -scott -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jamie
2010-Jan-18 22:38 UTC
[Puppet Users] Re: SSL Issues when Puppet master and client are on the same machine
Ok, I made a [puppetmasterd] section, not sure what I''d want to put into a [puppetd] section though that isn''t fine in a [main] section. [main] # Default (/var/puppet/log) logdir = /var/log/puppet # Default (/var/puppet/run) rundir = /var/run/puppet # How often (in seconds) puppetd connects to the master (default: 1800) runinterval = 900 # Whether to flush logs to disk immediately autoflush = true [puppetmasterd] # Default (/etc/puppet/modules:/usr/share/puppet/modules) modulepath = /etc/puppet/modules # Needed for reverse proxy ssl_client_header = HTTP_X_SSL_SUBJECT # For external nodes via cobbler "systems" external_nodes = /usr/bin/cobbler-ext-nodes node_terminus = exec I don''t understand how certname would help me though (assuming my puppet server is called puppet01 with a CNAME of puppet). It all worked fine without specifying certname prior to me cleaning out all the certs. Could I do something like this? [puppetmasterd] ssldir = /etc/puppet/puppetmaster_ssl [puppetd] ssldir = /etc/puppet/ssl Here''s the (cleaned) output I get trying to run puppetd. $ sudo puppetd -td debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ dscl does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File [/etc/puppet/ssl] debug: /File[/etc/puppet/ssl/private_keys/puppet01.example.com.pem]: Autorequiring File[/etc/puppet/ssl/private_keys] debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ puppet/ssl/certs] debug: /File[/etc/puppet/ssl/public_keys/puppet01.example.com.pem]: Autorequiring File[/etc/puppet/ssl/public_keys] debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ puppet] debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ state] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ ssl] debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ puppet/ssl] debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ puppet/state] debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ puppet/state] debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] debug: /File[/etc/puppet/ssl/certs/puppet01.example.com.pem]: Autorequiring File[/etc/puppet/ssl/certs] debug: Finishing transaction 23703295081660 with 0 changes debug: Using cached certificate for ca debug: Using cached certificate for puppet01.example.com debug: Loaded state in 0.01 seconds debug: Using cached certificate for ca debug: Using cached certificate for puppet01.example.com err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run On Jan 18, 1:29 pm, Scott Smith <sc...@ohlol.net> wrote:> On 1/18/10 1:11 PM, Jamie wrote: > > > Oh! You''re probably right :) Can you elaborate or point me in the > > right direction? > > Umm, you don''t have [puppetd] and [puppetmasterd] sections? > > At the bare minimum, you probably need to tell puppetmasterd and puppetd to use different hostnames. > > http://docs.reductivelabs.com/references/latest/configuration.html > > Check out certname. > > -scott-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.