trying to get started and this doesn''t seem to be working as intended - clearly pebkac # puppet agent --server ubuntu.ttinet --waitforcert 60 --test info: Caching catalog for ubuntu.ttinet info: Applying configuration version ''1307724789'' notice: Finished catalog run in 0.01 seconds # puppet cert --list # It seems as though it is working but the client (same machine) doesn''t make a cert request. So I am thinking that maybe the certificate request should come from a different client. I installed puppet on another VM host and both can ping back & forth by fqdn so that all seems good and when I run the command... # puppet agent --server ubuntu.ttinet --waitforcert 60 --test err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2) err: Could not request certificate: Connection refused - connect(2) on the server I can see that puppet is running... # ps aux|grep puppet puppet 26343 0.0 9.8 136332 49948 ? Ss 09:52 0:00 /usr/local/bin/ruby /usr/local/bin/puppet master root 27086 0.0 0.1 7624 920 pts/2 S+ 10:32 0:00 grep --color=auto puppet root@ubuntu:/etc/puppet# netstat -an |grep 8140 tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN and no firewall is blocking port 8140 root@ubuntu:/etc/puppet# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination So any clues? # gem list --local #snipping out irrelevant items *** LOCAL GEMS *** facter (1.5.9) puppet (2.6.8) -- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi, What is the response of the following: $ openssl s_client -connection ubuntu.ttinet:8140 Can you make the connection from the client? Cheers, Den On 11/06/2011, at 3:40, Craig White <craig.white@ttiltd.com> wrote:> trying to get started and this doesn''t seem to be working as intended - clearly pebkac > > # puppet agent --server ubuntu.ttinet --waitforcert 60 --test > info: Caching catalog for ubuntu.ttinet > info: Applying configuration version ''1307724789'' > notice: Finished catalog run in 0.01 seconds > > # puppet cert --list > > # > > It seems as though it is working but the client (same machine) doesn''t make a cert request. So I am thinking that maybe the certificate request should come from a different client. I installed puppet on another VM host and both can ping back & forth by fqdn so that all seems good and when I run the command... > > # puppet agent --server ubuntu.ttinet --waitforcert 60 --test > err: Could not request certificate: Connection refused - connect(2) > err: Could not request certificate: Connection refused - connect(2) > err: Could not request certificate: Connection refused - connect(2) > err: Could not request certificate: Connection refused - connect(2) > err: Could not request certificate: Connection refused - connect(2) > err: Could not request certificate: Connection refused - connect(2) > > on the server I can see that puppet is running... > > # ps aux|grep puppet > puppet 26343 0.0 9.8 136332 49948 ? Ss 09:52 0:00 /usr/local/bin/ruby /usr/local/bin/puppet master > root 27086 0.0 0.1 7624 920 pts/2 S+ 10:32 0:00 grep --color=auto puppet > > root@ubuntu:/etc/puppet# netstat -an |grep 8140 > tcp 0 0 0.0.0.0:8140 0.0.0.0:* LISTEN > > and no firewall is blocking port 8140 > root@ubuntu:/etc/puppet# iptables -L > Chain INPUT (policy ACCEPT) > target prot opt source destination > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > So any clues? > > # gem list --local #snipping out irrelevant items > > *** LOCAL GEMS *** > > facter (1.5.9) > puppet (2.6.8) > > -- > Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com > 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired success? Let us help! > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 10, 2011, at 3:36 PM, Denmat wrote:> openssl s_client -connection ubuntu.ttinet:8140---- -connection was a problem but -connect is valid from ubuntu2 (intended puppet client system) openssl s_client -connect ubuntu.ttinet:8140 connect: Connection refused connect:errno=111 from ubuntu (puppet server/master) $ openssl s_client -connect ubuntu.ttinet:8140 CONNECTED(00000003) depth=1 /CN=Puppet CA: ubuntu.ttinet verify error:num=19:self signed certificate in certificate chain verify return:0 --- Certificate chain 0 s:/CN=ubuntu.ttinet i:/CN=Puppet CA: ubuntu.ttinet 1 s:/CN=Puppet CA: ubuntu.ttinet i:/CN=Puppet CA: ubuntu.ttinet --- Server certificate -----BEGIN CERTIFICATE----- MIICgzCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhQdXBw ZXQgQ0E6IHVidW50dS50dGluZXQwHhcNMTEwNjA5MTY1MjA2WhcNMTYwNjA3MTY1 MjA2WjAYMRYwFAYDVQQDDA11YnVudHUudHRpbmV0MIGfMA0GCSqGSIb3DQEBAQUA A4GNADCBiQKBgQCmwUIiRPEhWNlz1J0p1KbA0A3AqNN+k7qcvKAjYmE7FmqOTbe+ r5MRvwqMqpDT9Q+lQZ7xSbFUgSkL7B4rmAAdg16HwR4ghnismyvOfZwtmNkVlTQr euYEOaL73j2/7wjHdz8qseR6T4xbE7rxaXC8Rqr5r+at0oYQlCvU0ETXgwIDAQAB o4HRMIHOMDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVy YXRlZCBDZXJ0aWZpY2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTSMP8OQaCu wLemIYlcnfgSobRj5TALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEG CCsGAQUFBwMCBggrBgEFBQcDBDAvBgNVHREEKDAmggZwdXBwZXSCDXVidW50dS50 dGluZXSCDXB1cHBldC50dGluZXQwDQYJKoZIhvcNAQEFBQADgYEAeQvEHrId+bCm oFw8njNRq1DnzUNRBOuFDvwr23nZiiP81qWatA+bc9+SLRG5vvVLc5DzJmA53uIT oDIqLTVENkMN0Hugy6/c2MYkYOr8TBj7Ynanhw3iw1b2e6ND51WEi1YNQx89DZRf xamhaKeGhgl8aGBPcGvMJDfcVAlv048-----END CERTIFICATE----- subject=/CN=ubuntu.ttinet issuer=/CN=Puppet CA: ubuntu.ttinet --- No client certificate CA names sent --- SSL handshake has read 1802 bytes and written 331 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 1024 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 4E2E2BFB45D3982D4C829C31DB50792B4BF9D664454FB2144924B9DEA8E8694A Session-ID-ctx: Master-Key: 6A304A3F50806FF50D13A18F6C5B66D3235F83D4D0F7D288449C39690AE5288C10057AABB6850B3AFD97404560B330CB Key-Arg : None Start Time: 1307745721 Timeout : 300 (sec) Verify return code: 19 (self signed certificate in certificate chain) --- -- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sorry, phone using auto complete.. Okay, there is a connection issue between your client and server. Puppet clients need to reach the server on that port. Is there a firewall in between? Can you connect on the server with the external ip address? Can you connect from the client using the server ip address? Cheers, Den On 11/06/2011, at 8:43, Craig White <craig.white@ttiltd.com> wrote:> > On Jun 10, 2011, at 3:36 PM, Denmat wrote: > >> openssl s_client -connection ubuntu.ttinet:8140 > ---- > -connection was a problem but -connect is valid > > from ubuntu2 (intended puppet client system) > openssl s_client -connect ubuntu.ttinet:8140 > connect: Connection refused > connect:errno=111 > > from ubuntu (puppet server/master) > $ openssl s_client -connect ubuntu.ttinet:8140 > CONNECTED(00000003) > depth=1 /CN=Puppet CA: ubuntu.ttinet > verify error:num=19:self signed certificate in certificate chain > verify return:0 > --- > Certificate chain > 0 s:/CN=ubuntu.ttinet > i:/CN=Puppet CA: ubuntu.ttinet > 1 s:/CN=Puppet CA: ubuntu.ttinet > i:/CN=Puppet CA: ubuntu.ttinet > --- > Server certificate > -----BEGIN CERTIFICATE----- > MIICgzCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhQdXBw > ZXQgQ0E6IHVidW50dS50dGluZXQwHhcNMTEwNjA5MTY1MjA2WhcNMTYwNjA3MTY1 > MjA2WjAYMRYwFAYDVQQDDA11YnVudHUudHRpbmV0MIGfMA0GCSqGSIb3DQEBAQUA > A4GNADCBiQKBgQCmwUIiRPEhWNlz1J0p1KbA0A3AqNN+k7qcvKAjYmE7FmqOTbe+ > r5MRvwqMqpDT9Q+lQZ7xSbFUgSkL7B4rmAAdg16HwR4ghnismyvOfZwtmNkVlTQr > euYEOaL73j2/7wjHdz8qseR6T4xbE7rxaXC8Rqr5r+at0oYQlCvU0ETXgwIDAQAB > o4HRMIHOMDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVy > YXRlZCBDZXJ0aWZpY2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTSMP8OQaCu > wLemIYlcnfgSobRj5TALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEG > CCsGAQUFBwMCBggrBgEFBQcDBDAvBgNVHREEKDAmggZwdXBwZXSCDXVidW50dS50 > dGluZXSCDXB1cHBldC50dGluZXQwDQYJKoZIhvcNAQEFBQADgYEAeQvEHrId+bCm > oFw8njNRq1DnzUNRBOuFDvwr23nZiiP81qWatA+bc9+SLRG5vvVLc5DzJmA53uIT > oDIqLTVENkMN0Hugy6/c2MYkYOr8TBj7Ynanhw3iw1b2e6ND51WEi1YNQx89DZRf > xamhaKeGhgl8aGBPcGvMJDfcVAlv048> -----END CERTIFICATE----- > subject=/CN=ubuntu.ttinet > issuer=/CN=Puppet CA: ubuntu.ttinet > --- > No client certificate CA names sent > --- > SSL handshake has read 1802 bytes and written 331 bytes > --- > New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA > Server public key is 1024 bit > Secure Renegotiation IS supported > Compression: NONE > Expansion: NONE > SSL-Session: > Protocol : TLSv1 > Cipher : DHE-RSA-AES256-SHA > Session-ID: 4E2E2BFB45D3982D4C829C31DB50792B4BF9D664454FB2144924B9DEA8E8694A > Session-ID-ctx: > Master-Key: 6A304A3F50806FF50D13A18F6C5B66D3235F83D4D0F7D288449C39690AE5288C10057AABB6850B3AFD97404560B330CB > Key-Arg : None > Start Time: 1307745721 > Timeout : 300 (sec) > Verify return code: 19 (self signed certificate in certificate chain) > --- > > -- > Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com > 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com > > Need help communicating between generations at work to achieve your desired success? Let us help! > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Turned out that I cloned a VMWare install of ubuntu server that sets the host name in /etc/hosts under 127.0.0.1 which of course was refusing connections on port 8140. I''m more used to RHEL and learned some differences in default setup/behaviors w/ Ubuntu. Thanks - working now Craig On Jun 10, 2011, at 5:29 PM, Denmat wrote:> Sorry, phone using auto complete.. > > Okay, there is a connection issue between your client and server. Puppet clients need to reach the server on that port. > > Is there a firewall in between? Can you connect on the server with the external ip address? Can you connect from the client using the server ip address? > > Cheers, > Den > > On 11/06/2011, at 8:43, Craig White <craig.white@ttiltd.com> wrote: > >> >> On Jun 10, 2011, at 3:36 PM, Denmat wrote: >> >>> openssl s_client -connection ubuntu.ttinet:8140 >> ---- >> -connection was a problem but -connect is valid >> >> from ubuntu2 (intended puppet client system) >> openssl s_client -connect ubuntu.ttinet:8140 >> connect: Connection refused >> connect:errno=111 >> >> from ubuntu (puppet server/master) >> $ openssl s_client -connect ubuntu.ttinet:8140 >> CONNECTED(00000003) >> depth=1 /CN=Puppet CA: ubuntu.ttinet >> verify error:num=19:self signed certificate in certificate chain >> verify return:0 >> --- >> Certificate chain >> 0 s:/CN=ubuntu.ttinet >> i:/CN=Puppet CA: ubuntu.ttinet >> 1 s:/CN=Puppet CA: ubuntu.ttinet >> i:/CN=Puppet CA: ubuntu.ttinet >> --- >> Server certificate >> -----BEGIN CERTIFICATE----- >> MIICgzCCAeygAwIBAgIBAjANBgkqhkiG9w0BAQUFADAjMSEwHwYDVQQDDBhQdXBw >> ZXQgQ0E6IHVidW50dS50dGluZXQwHhcNMTEwNjA5MTY1MjA2WhcNMTYwNjA3MTY1 >> MjA2WjAYMRYwFAYDVQQDDA11YnVudHUudHRpbmV0MIGfMA0GCSqGSIb3DQEBAQUA >> A4GNADCBiQKBgQCmwUIiRPEhWNlz1J0p1KbA0A3AqNN+k7qcvKAjYmE7FmqOTbe+ >> r5MRvwqMqpDT9Q+lQZ7xSbFUgSkL7B4rmAAdg16HwR4ghnismyvOfZwtmNkVlTQr >> euYEOaL73j2/7wjHdz8qseR6T4xbE7rxaXC8Rqr5r+at0oYQlCvU0ETXgwIDAQAB >> o4HRMIHOMDgGCWCGSAGG+EIBDQQrFilQdXBwZXQgUnVieS9PcGVuU1NMIEdlbmVy >> YXRlZCBDZXJ0aWZpY2F0ZTAMBgNVHRMBAf8EAjAAMB0GA1UdDgQWBBTSMP8OQaCu >> wLemIYlcnfgSobRj5TALBgNVHQ8EBAMCBaAwJwYDVR0lBCAwHgYIKwYBBQUHAwEG >> CCsGAQUFBwMCBggrBgEFBQcDBDAvBgNVHREEKDAmggZwdXBwZXSCDXVidW50dS50 >> dGluZXSCDXB1cHBldC50dGluZXQwDQYJKoZIhvcNAQEFBQADgYEAeQvEHrId+bCm >> oFw8njNRq1DnzUNRBOuFDvwr23nZiiP81qWatA+bc9+SLRG5vvVLc5DzJmA53uIT >> oDIqLTVENkMN0Hugy6/c2MYkYOr8TBj7Ynanhw3iw1b2e6ND51WEi1YNQx89DZRf >> xamhaKeGhgl8aGBPcGvMJDfcVAlv048>> -----END CERTIFICATE----- >> subject=/CN=ubuntu.ttinet >> issuer=/CN=Puppet CA: ubuntu.ttinet >> --- >> No client certificate CA names sent >> --- >> SSL handshake has read 1802 bytes and written 331 bytes >> --- >> New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA >> Server public key is 1024 bit >> Secure Renegotiation IS supported >> Compression: NONE >> Expansion: NONE >> SSL-Session: >> Protocol : TLSv1 >> Cipher : DHE-RSA-AES256-SHA >> Session-ID: 4E2E2BFB45D3982D4C829C31DB50792B4BF9D664454FB2144924B9DEA8E8694A >> Session-ID-ctx: >> Master-Key: 6A304A3F50806FF50D13A18F6C5B66D3235F83D4D0F7D288449C39690AE5288C10057AABB6850B3AFD97404560B330CB >> Key-Arg : None >> Start Time: 1307745721 >> Timeout : 300 (sec) >> Verify return code: 19 (self signed certificate in certificate chain) >> --- >> >> -- >> Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com >> 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com >> >> Need help communicating between generations at work to achieve your desired success? Let us help! >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >> > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- Craig White ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ craig.white@ttiltd.com 1.800.869.6908 ~~~~~~~~~~~~~~~~~~~~~~~~~~~ www.ttiassessments.com Need help communicating between generations at work to achieve your desired success? Let us help! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.