I am trying to connect a solaris puppet client version 2.6.4 to a linux puppet master server. I am getting a starnge message as below and the puppetca on the master is not able to see the client certificate. [root@ /]$ puppetd --test --server xxxx warning: peer certificate won''t be verified in this SSL session err: Could not request certificate: time out of range Exiting; failed to retrieve certificate and waitforcert is disabled I have tried cleaning and removing ssl directory on the client side still no luck. Any clue? any ideas ? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Based on ''time out range'' seems that you need to do an NTP sync. -Mark On Feb 25, 2011, at 10:51 AM, Ace wrote:> I am trying to connect a solaris puppet client version 2.6.4 to a > linux puppet master server. I am getting a starnge message as below > and the puppetca on the master is not able to see the client > certificate. > > [root@ /]$ puppetd --test --server xxxx > warning: peer certificate won''t be verified in this SSL session > err: Could not request certificate: time out of range > Exiting; failed to retrieve certificate and waitforcert is disabled > > > I have tried cleaning and removing ssl directory on the client side > still no luck. > > Any clue? any ideas ? > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Time is in sync on both client and master. Both are running NTP. On Feb 25, 10:53 am, Mark Stanislav <mark.stanis...@gmail.com> wrote:> Based on ''time out range'' seems that you need to do an NTP sync. > > -Mark > > On Feb 25, 2011, at 10:51 AM, Ace wrote: > > > I am trying to connect a solaris puppet client version 2.6.4 to a > > linux puppet master server. I am getting a starnge message as below > > and the puppetca on the master is not able to see the client > > certificate. > > > [root@ /]$ puppetd --test --server xxxx > > warning: peer certificate won''t be verified in this SSL session > > err: Could not request certificate: time out of range > > Exiting; failed to retrieve certificate and waitforcert is disabled > > > I have tried cleaning and removing ssl directory on the client side > > still no luck. > > > Any clue? any ideas ? > > > Thanks. > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Maybe the puppet master already has signed a request from your host (maybe older from an older installation)? Try on master: puppet cert --list --all | grep clienthostname On Fri, Feb 25, 2011 at 08:02:29AM -0800, Ace wrote:> Time is in sync on both client and master. Both are running NTP.Maybe wrong timezone? Try date --utc (I dont know if that does work on Solaris) -Stefan
puppet cert --list --all | grep clienthostname The above command does not list the client host key. I have done a puppet cert --clean clienthostname in any case. The timezones on both client and server are the same. On Feb 25, 3:47 pm, Stefan Schulte <stefan.schu...@taunusstein.net> wrote:> Maybe the puppet master already has signed a request from your host > (maybe older from an older installation)? > > Try on master: > > puppet cert --list --all | grep clienthostname > > On Fri, Feb 25, 2011 at 08:02:29AM -0800, Ace wrote: > > Time is in sync on both client and master. Both are running NTP. > > Maybe wrong timezone? Try > > date --utc (I dont know if that does work on Solaris) > > -Stefan > > application_pgp-signature_part > < 1KViewDownload-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Feb 25, 2011 at 12:53:22PM -0800, Ace wrote:> puppet cert --list --all | grep clienthostname > The above command does not list the client host key. I have done a > puppet cert --clean clienthostname in any case. > > The timezones on both client and server are the same. >Does running with --debug shows anything interesting? Try also running your master with puppet master --no-daemonize --verbose --debug Does your ruby have openssl support? ruby -ropenssl -e ''puts :installed'' Have you done any changed to /etc/puppet/auth.conf (If you even have that file on your master). Do you have the same problem with other clients (Solaris and other OSes) -Stefan
Running in the --no-daemonize mode for both client and master does not show anything interesting. Whats interesting is that I can have linux puppet clients connect to the linux master but none of the solaris clients work. More interesting is that I can connect to the Solaris master with the solaris clients. On Feb 25, 4:30 pm, Stefan Schulte <stefan.schu...@taunusstein.net> wrote:> On Fri, Feb 25, 2011 at 12:53:22PM -0800, Ace wrote: > > puppet cert --list --all | grep clienthostname > > The above command does not list the client host key. I have done a > > puppet cert --clean clienthostname in any case. > > > The timezones on both client and server are the same. > > Does running with --debug shows anything interesting? Try also running > your master with > > puppet master --no-daemonize --verbose --debug > > Does your ruby have openssl support? > > ruby -ropenssl -e ''puts :installed'' > > Have you done any changed to /etc/puppet/auth.conf (If you even have > that file on your master). Do you have the same problem with other > clients (Solaris and other OSes) > > -Stefan > > application_pgp-signature_part > < 1KViewDownload-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 02/25/2011 10:42 PM, Ace wrote:> Running in the --no-daemonize mode for both client and master does not > show anything interesting. > > Whats interesting is that I can have linux puppet clients connect to > the linux master but none of the solaris clients work. More > interesting is that I can connect to the Solaris master with the > solaris clients.Does the master log a warning message when you try and connect your client? Rummage through your client''s /var/lib/puppet/ssl. Find the puppetmasters certs and examine its date fields. Something is amiss. You may want to move those aside and have your client get fresh copies from the master. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
- certificate verify failed
- Need some help getting up and running: Could not request certificate: Connection refused - connect(2)
- Problem with multiple requires in Ruby DSL
- [threadsafe] Arel ToSql visitor is not threadsafe
- question about how to set up an active record adapter to prefer use of prepared statements...