Puppet users - Jul 2010 - Simple setup, separate client and server -- same error

Ran through about the same scenario as before, modified for client and
server being on separate systems.  Got the same error.  Here are the
details and some things I thought might be relevant info at the end.

On server Uninstall puppet.  Remove /etc/puppet and /var/lib/puppet.

Clean up old puppet install and config on lnx03 (server)
    [ddb@prc-mn-lnx03 ~]$ sudo yum erase puppet
    Removed:
      puppet.noarch 0:0.25.5-1.el5
    Dependency Removed:
      puppet-server.noarch 0:0.25.5-1.el5
    [ddb@prc-mn-lnx03 ~]$ sudo rm -rf /etc/puppet/ /var/lib/puppet/

Clean up old puppet install and config on lnx01 (client)
    [root@prc-mn-lnx01 ~]# yum erase puppet
    Package(s) puppet available, but not installed.
    No Packages marked for removal
    [root@prc-mn-lnx01 ~]# rm -rf /etc/puppet/ /var/lib/puppet/

Install puppet packages on lnx03
    sudo yum install puppet-server
    Installed:
      puppet-server.noarch 0:0.25.5-1.el5
    Dependency Installed:
      puppet.noarch 0:0.25.5-1.el5

Edit /etc/puppet/puppet.conf to specify non-default server.
In [main] put
    [main]
	# The Puppet log directory.
	# The default value is ''$vardir/log''.
	logdir = /var/log/puppet

	# Where Puppet PID files are kept.
	# The default value is ''$vardir/run''.
	rundir = /var/run/puppet

	# Where SSL certificates are kept.
	# The default value is ''$confdir/ssl''.
	ssldir = $vardir/ssl

	# The server isn''t the default dns name "puppet".
	server = "prc-mn-lnx03.pinerivercapital.local"

    [puppetd]
	# The file in which puppetd stores a list of the classes
	# associated with the retrieved configuratiion.  Can be loaded in
	# the separate ``puppet`` executable using the ``--loadclasses``
	# option.
	# The default value is ''$confdir/classes.txt''.
	classfile = $vardir/classes.txt

	# Where puppetd caches the local configuration.  An
	# extension indicating the cache format is added automatically.
	# The default value is ''$confdir/localconfig''.
	localconfig = $vardir/localconfig

Put some minimal config into the default manifest /etc/puppet/site.pp
    # Create "/tmp/testfile" if it doesn''t exist.
    class test_class {
	file { "/tmp/testfile":
	   ensure => present,
	   mode   => 644,
	   owner  => root,
	   group  => root
	}
    }

    # tell puppet on which client to run the class
    node prc-mn-lnx01 {
	include test_class
    }

Verify hostname
    sh-3.2$ hostname
    prc-mn-lnx03.pinerivercapital.local

Start puppetmaster service.

Verify certificate for right system created.
    sh-3.2$ sudo puppetca --all --list
    + prc-mn-lnx03.pinerivercapital.local

Verify server view of certificates.
    sh-3.2$ sudo /usr/sbin/puppetmasterd --genconf | grep certname
	# The default value is ''$privatekeydir/$certname.pem''.
	# certname = prc-mn-lnx03.pinerivercapital.local
	# The default value is ''$ssldir/csr_$certname.pem''.
	# The default value is ''$publickeydir/$certname.pem''.
	# The default value is ''$certdir/$certname.pem''.

Set up client software on lnx01
    [root@prc-mn-lnx01 ~]# yum install puppet
    Installed:
      puppet.noarch 0:0.25.5-1.el5

Set up config on lnx01 (add server)
    [main]
	# The Puppet log directory.
	# The default value is ''$vardir/log''.
	logdir = /var/log/puppet

	# Where Puppet PID files are kept.
	# The default value is ''$vardir/run''.
	rundir = /var/run/puppet

	# Where SSL certificates are kept.
	# The default value is ''$confdir/ssl''.
	ssldir = $vardir/ssl

	# The server isn''t the default dns name "puppet".
	server = "prc-mn-lnx03.pinerivercapital.local"

    [puppetd]
	# The file in which puppetd stores a list of the classes
	# associated with the retrieved configuratiion.  Can be loaded in
	# the separate ``puppet`` executable using the ``--loadclasses``
	# option.
	# The default value is ''$confdir/classes.txt''.
	classfile = $vardir/classes.txt

	# Where puppetd caches the local configuration.  An
	# extension indicating the cache format is added automatically.
	# The default value is ''$confdir/localconfig''.
	localconfig = $vardir/localconfig

Run puppetd manually in test mode.  Client creates request.
    [root@prc-mn-lnx01 ~]# puppetd --server prc-mn-lnx03 --test --
waitforcert 60
    info: Creating a new SSL key for prc-mn-
lnx01.pinerivercapital.local
    warning: peer certificate won''t be verified in this SSL session
    info: Creating a new SSL certificate request for prc-mn-
lnx01.pinerivercapital.local

On server, find and sign request
    [ddb@prc-mn-lnx03 ~]$ sudo puppetca --list
    prc-mn-lnx01.pinerivercapital.local
    [ddb@prc-mn-lnx03 ~]$ sudo puppetca --sign prc-mn-
lnx01.pinerivercapital.local
    prc-mn-lnx01.pinerivercapital.local
    notice: Signed certificate request for prc-mn-
lnx01.pinerivercapital.local
    notice: Removing file Puppet::SSL::CertificateRequest prc-mn-
lnx01.pinerivercapital.local at ''/var/lib/puppet/ssl/ca/requests/prc-
mn-lnx01.pinerivercapital.local.pem''

Further client output:
    info: Caching certificate for prc-mn-lnx01.pinerivercapital.local
    err: Could not retrieve catalog from remote server: hostname not
match with the server certificate
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run

So this is the same error I got trying to run client and server on the
same system.  Furthermore, I definitely started both systems with NO
cached certificates or anything (manually deleting /var/lib/puppet
before reinstalling the packages).

Something really basic is wrong here!

From the server, the cert directory:
    [ddb@prc-mn-lnx03 ~]$ ls -l /var/lib/puppet/ssl/certs
    total 16
    -rw-r--r-- 1 puppet root 765 Jul 23 15:16 ca.pem
    -rw-r--r-- 1 puppet root 985 Jul 23 15:16 prc-mn-
lnx03.pinerivercapital.local.pem

From the client, the cert directory:
    [root@prc-mn-lnx01 ~]# ls -l /var/lib/puppet/ssl/certs
    total 16
    -rw-r--r-- 1 puppet root 765 Jul 23 15:36 ca.pem
    -rw-r----- 1 puppet root 867 Jul 23 15:37 prc-mn-
lnx01.pinerivercapital.local.pem

In case it''s relevant, here''s the server''s
/etc/puppet/auth.conf as it
is (came from the Centos package, not changed) (most comments deleted
for space):

    # allow nodes to retrieve their own catalog (ie their
configuration)
    path ~ ^/catalog/([^/]+)$
    method find
    allow $1

    # allow all nodes to access the certificates services
    path /certificate_revocation_list/ca
    method find
    allow *

    # allow all nodes to store their reports
    path /report
    method save
    allow *

    # inconditionnally allow access to all files services
    # which means in practice that fileserver.conf will
    # still be used
    path /file
    allow *

    ### Unauthenticated ACL, for clients for which the current master
doesn''t
    ### have a valid certificate

    # allow access to the master CA
    path /certificate/ca
    auth no
    method find
    allow *

    path /certificate/
    auth no
    method find
    allow *

    path /certificate_request
    auth no
    method find, save
    allow *

    # this one is not stricly necessary, but it has the merit
    # to show the default policy which is deny everything else
    path /
    auth any

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.