Hi, My puppet master don''t want to start anymore. Any idea ? [root@puppetmaster requests]# puppet master --no-daemonize --debug debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing debug: Failed to load library ''ldap'' for feature ''ldap'' debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/puppetmaster.isp.belgacom.be.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/public_keys/puppetmaster.isp.belgacom.be.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/lib/puppet/ssl/private_keys/puppetmaster.XXXpem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/puppet/manifests] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/run/puppet/master.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] debug: Finishing transaction -607138118 debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/ssl/ca/private] debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: Finishing transaction -607501368 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for puppetmaster.isp.belgacom.be notice: Starting Puppet master version 2.6.4 /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `initialize'': header too long (OpenSSL::X509::CRLError) from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `new'' from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `read'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/ssl_file.rb:86:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:193:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'' from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:113:in `setup_ssl'' from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'' ... 6 levels... from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:287:in `run'' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:55:in `execute'' from /usr/bin/puppet:4 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, My puppet master don''t want to start anymore. Certificat issue ? Any idea ? [root@puppetmaster requests]# puppet master --no-daemonize --debug debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::File::ProviderMicrosoft_windows: feature microsoft_windows is missing debug: Failed to load library ''ldap'' for feature ''ldap'' debug: /File[/var/lib/puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/server_data]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/ssl/certs/puppetmaster.XXX.be.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/ssl/public_keys/puppetmaster.isp.XXX.be.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] debug: /File[/var/lib/puppet/bucket]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certificate_requests]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/manifests]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/crl.pem]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/etc/puppet/fileserver.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] debug: /File[/etc/puppet/auth.conf]: Autorequiring File[/etc/puppet] debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] debug: /File[/var/lib/puppet/reports]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/log/puppet/masterhttp.log]: Autorequiring File[/var/log/puppet] debug: /File[/var/lib/puppet/ssl/private_keys/puppetmaster.XXXpem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] debug: /File[/var/lib/puppet/ssl]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/etc/puppet/manifests/site.pp]: Autorequiring File[/etc/puppet/manifests] debug: /File[/var/lib/puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl] debug: /File[/var/run/puppet/master.pid]: Autorequiring File[/var/run/puppet] debug: /File[/var/lib/puppet/yaml]: Autorequiring File[/var/lib/puppet] debug: Finishing transaction -607138118 debug: /File[/var/lib/puppet/ssl/ca/signed]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/ssl/ca/private] debug: /File[/var/lib/puppet/ssl/ca/requests]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/serial]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/private]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/inventory.txt]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: /File[/var/lib/puppet/ssl/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/ssl/ca] debug: Finishing transaction -607501368 debug: Using cached certificate for ca debug: Using cached certificate for ca debug: Using cached certificate for puppetmaster.isp.XXX.be notice: Starting Puppet master version 2.6.4 /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `initialize'': header too long (OpenSSL::X509::CRLError) from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `new'' from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `read'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/ssl_file.rb:86:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:193:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'' from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:113:in `setup_ssl'' from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'' ... 6 levels... from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:287:in `run'' from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:55:in `execute'' from /usr/bin/puppet:4 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2011-Feb-21 14:35 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
Hi, On 02/21/2011 03:28 PM, vincent wrote:> Hi, > > My puppet master don''t want to start anymore. > Any idea ? > > > > ... > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `initialize'': > header too long (OpenSSL::X509::CRLError) > from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `new'' > from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `read'' > from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/ssl_file.rb:86:in `find'' > from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:193:in `find'' > from /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' > from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'' > from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:113:in > `setup_ssl'' > from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'' > ... 6 levels... > from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' > from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:287:in `run'' > from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:55:in `execute'' > from /usr/bin/puppet:4 >no, but you may want to examine /var/lib/puppet/ssl/ca/ca_crl.pem closely using "openssl crl". How many entries are in there? Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vincent
2011-Feb-21 17:00 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
the file ca_crl.pem was cleaned accidentally. How can I have an empty revocation list ? 2011/2/21 Felix Frank <felix.frank@alumni.tu-berlin.de>:> Hi, > > On 02/21/2011 03:28 PM, vincent wrote: >> Hi, >> >> My puppet master don''t want to start anymore. >> Any idea ? >> >> >> >> ... >> /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `initialize'': >> header too long (OpenSSL::X509::CRLError) >> from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `new'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/base.rb:42:in `read'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/ssl_file.rb:86:in `find'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/indirector/indirection.rb:193:in `find'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/indirector.rb:50:in `find'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:215:in `ssl_store'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:113:in >> `setup_ssl'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:31:in `listen'' >> ... 6 levels... >> from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:287:in `run'' >> from /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:55:in `execute'' >> from /usr/bin/puppet:4 >> > > no, but you may want to examine /var/lib/puppet/ssl/ca/ca_crl.pem > closely using "openssl crl". How many entries are in there? > > Regards, > Felix > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2011-Feb-21 17:06 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
On 02/21/2011 06:00 PM, vincent wrote:> the file ca_crl.pem was cleaned accidentally. > How can I have an empty revocation list ?I''d assume puppet would create a new one for you. I''m not sure what the puppet way to do this is. Have a look at "puppet cert --help". Failing that, create a CRL using your CA and key as described in http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke Yes, it''s not quite trivial. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
vincent
2011-Feb-21 17:15 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
Thanks
I am trying this, do you know which index can use ?
# openssl ca -gencrl -keyfile ca_key.pem -cert ca_crt.pem -out test
Using configuration from /etc/pki/tls/openssl.cnf
../../CA/index.txt: No such file or directory
unable to open ''../../CA/index.txt''
4717:error:02001002:system library:fopen:No such file or
directory:bss_file.c:352:fopen(''../../CA/index.txt'',''r'')
4717:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354:
2011/2/21 Felix Frank
<felix.frank@alumni.tu-berlin.de>:>
>
> On 02/21/2011 06:00 PM, vincent wrote:
>> the file ca_crl.pem was cleaned accidentally.
>> How can I have an empty revocation list ?
>
> I''d assume puppet would create a new one for you.
> I''m not sure what the puppet way to do this is.
> Have a look at "puppet cert --help".
>
> Failing that, create a CRL using your CA and key as described in
> http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke
>
> Yes, it''s not quite trivial.
>
> HTH,
> Felix
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
vincent
2011-Feb-21 17:21 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
I have removed the ca_crl.pem puppet master has create a new one but some hosts are not working now: host1 OK : # puppetd -tv info: Caching catalog for host1.bc info: Applying configuration version ''1298308566'' notice: Finished catalog run in 0.06 seconds host2: # puppetd -tv err: Could not retrieve catalog from remote server: hostname not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run 2011/2/21 vincent <vincent@louviaux.com>:> Thanks > > I am trying this, do you know which index can use ? > > # openssl ca -gencrl -keyfile ca_key.pem -cert ca_crt.pem -out test > Using configuration from /etc/pki/tls/openssl.cnf > ../../CA/index.txt: No such file or directory > unable to open ''../../CA/index.txt'' > 4717:error:02001002:system library:fopen:No such file or > directory:bss_file.c:352:fopen(''../../CA/index.txt'',''r'') > 4717:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:354: > > > > > 2011/2/21 Felix Frank <felix.frank@alumni.tu-berlin.de>: >> >> >> On 02/21/2011 06:00 PM, vincent wrote: >>> the file ca_crl.pem was cleaned accidentally. >>> How can I have an empty revocation list ? >> >> I''d assume puppet would create a new one for you. >> I''m not sure what the puppet way to do this is. >> Have a look at "puppet cert --help". >> >> Failing that, create a CRL using your CA and key as described in >> http://gagravarr.org/writing/openssl-certs/ca.shtml#ca-revoke >> >> Yes, it''s not quite trivial. >> >> HTH, >> Felix >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Felix Frank
2011-Feb-22 09:02 UTC
Re: [Puppet Users] header too long (OpenSSL::X509::CRLError) ?
On 02/21/2011 06:21 PM, vincent wrote:> I have removed the ca_crl.pem puppet master has create a new one > but some hosts are not working now: > > host1 OK : > # puppetd -tv > info: Caching catalog for host1.bc > info: Applying configuration version ''1298308566'' > notice: Finished catalog run in 0.06 seconds > > host2: > # puppetd -tv > err: Could not retrieve catalog from remote server: hostname not match > with the server certificate > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping runDoes host2 have a server= setting in its puppet.conf? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.