Hi! I''m having a setup with MCollective 1.2.0, Puppet 2.6.4 and an provision-agent. Most of the time this works great, but sometimes (every 10th node or so) I experience, that signing-requests of puppet- agents are not getting signed on the master. So the request of the puppet agent to "/production/certificate/..." ends everytime in an HTTP-Error 404. Does anyone have a glue about that? The problem is also hard to analyze because the logoutput is not very detailed. Puppet-Agent: Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new SSL key for ... Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching certificate for ca Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new SSL certificate request for ... Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF: 19:BE Puppet-Master: puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ certificate_request/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "PUT /production/ certificate_request/a.b.c.d HTTP/1.1" 200 2202 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:10:43 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:03 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" Regards Markus -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I''m not sure whether it is a problem with the Provisioner I use. I added a little sleep time between requesting the node to send its CSR to the Server and the signing of this certificate on all nodes. Until now it works perfectly. On 18 Jun., 18:58, markus <markus.fenste...@googlemail.com> wrote:> Hi! > > I''m having a setup with MCollective 1.2.0, Puppet 2.6.4 and an > provision-agent. Most of the time this works great, but sometimes > (every 10th node or so) I experience, that signing-requests of puppet- > agents are not getting signed on the master. > So the request of the puppet agent to "/production/certificate/..." > ends everytime in an HTTP-Error 404. > > Does anyone have a glue about that? > The problem is also hard to analyze because the logoutput is not very > detailed. > > Puppet-Agent: > Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new > SSL key for ... > Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching > certificate for ca > Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new > SSL certificate request for ... > Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate > Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF: > 19:BE > > Puppet-Master: > puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > certificate_request/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "PUT /production/ > certificate_request/a.b.c.d HTTP/1.1" 200 2202 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:10:43 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:03 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > Regards > Markus-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Jun-20 21:00 UTC
Re: [Puppet Users] Re: PuppetCA not signing Certificate-Requests
Hi, If you are using the standard webrick server that comes puppetmasterd then you will find it doesn''t scale very well. Check out the scaling puppet docs on the puppetlabs site for your options. Cheers, Deb On 20/06/2011, at 22:18, markus <markus.fensterer@googlemail.com> wrote:> I''m not sure whether it is a problem with the Provisioner I use. > I added a little sleep time between requesting the node to send its > CSR to the Server and the signing of this certificate on all nodes. > > Until now it works perfectly. > > On 18 Jun., 18:58, markus <markus.fenste...@googlemail.com> wrote: >> Hi! >> >> I''m having a setup with MCollective 1.2.0, Puppet 2.6.4 and an >> provision-agent. Most of the time this works great, but sometimes >> (every 10th node or so) I experience, that signing-requests of puppet- >> agents are not getting signed on the master. >> So the request of the puppet agent to "/production/certificate/..." >> ends everytime in an HTTP-Error 404. >> >> Does anyone have a glue about that? >> The problem is also hard to analyze because the logoutput is not very >> detailed. >> >> Puppet-Agent: >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new >> SSL key for ... >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching >> certificate for ca >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new >> SSL certificate request for ... >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate >> Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF: >> 19:BE >> >> Puppet-Master: >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ >> certificate_request/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "PUT /production/ >> certificate_request/a.b.c.d HTTP/1.1" 200 2202 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:43 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:03 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" >> >> Regards >> Markus > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hey Denmat, I''m already using Passenger with Apache. Problem is still there. Markus On 20 Jun., 23:00, Denmat <tu2bg...@gmail.com> wrote:> Hi, > If you are using the standard webrick server that comes puppetmasterd then you will find it doesn''t scale very well. > > Check out the scaling puppet docs on the puppetlabs site for your options. > > Cheers, > Deb > > On 20/06/2011, at 22:18, markus <markus.fenste...@googlemail.com> wrote: > > > > > > > > > I''m not sure whether it is a problem with the Provisioner I use. > > I added a little sleep time between requesting the node to send its > > CSR to the Server and the signing of this certificate on all nodes. > > > Until now it works perfectly. > > > On 18 Jun., 18:58, markus <markus.fenste...@googlemail.com> wrote: > >> Hi! > > >> I''m having a setup with MCollective 1.2.0, Puppet 2.6.4 and an > >> provision-agent. Most of the time this works great, but sometimes > >> (every 10th node or so) I experience, that signing-requests of puppet- > >> agents are not getting signed on the master. > >> So the request of the puppet agent to "/production/certificate/..." > >> ends everytime in an HTTP-Error 404. > > >> Does anyone have a glue about that? > >> The problem is also hard to analyze because the logoutput is not very > >> detailed. > > >> Puppet-Agent: > >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new > >> SSL key for ... > >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching > >> certificate for ca > >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new > >> SSL certificate request for ... > >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate > >> Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF: > >> 19:BE > > >> Puppet-Master: > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > >> certificate_request/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "PUT /production/ > >> certificate_request/a.b.c.d HTTP/1.1" 200 2202 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:43 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:03 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> Regards > >> Markus > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Puppet doesn''t even recognise the CSR that was sended. Is there a known threading problem with puppetca? Or a problem, that it can not handle several requests per seconds to add and sign CSRs? On 22 Jun., 12:10, markus <markus.fenste...@googlemail.com> wrote:> Hey Denmat, > > I''m already using Passenger with Apache. Problem is still there. > > Markus > > On 20 Jun., 23:00, Denmat <tu2bg...@gmail.com> wrote: > > > > > > > > > Hi, > > If you are using the standard webrick server that comes puppetmasterd then you will find it doesn''t scale very well. > > > Check out the scaling puppet docs on the puppetlabs site for your options. > > > Cheers, > > Deb > > > On 20/06/2011, at 22:18, markus <markus.fenste...@googlemail.com> wrote: > > > > I''m not sure whether it is a problem with the Provisioner I use. > > > I added a little sleep time between requesting the node to send its > > > CSR to the Server and the signing of this certificate on all nodes. > > > > Until now it works perfectly. > > > > On 18 Jun., 18:58, markus <markus.fenste...@googlemail.com> wrote: > > >> Hi! > > > >> I''m having a setup with MCollective 1.2.0, Puppet 2.6.4 and an > > >> provision-agent. Most of the time this works great, but sometimes > > >> (every 10th node or so) I experience, that signing-requests of puppet- > > >> agents are not getting signed on the master. > > >> So the request of the puppet agent to "/production/certificate/..." > > >> ends everytime in an HTTP-Error 404. > > > >> Does anyone have a glue about that? > > >> The problem is also hard to analyze because the logoutput is not very > > >> detailed. > > > >> Puppet-Agent: > > >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Creating a new > > >> SSL key for ... > > >> Jun 18 16:10:38 ip-10-242-62-183 puppet-agent[1001]: Caching > > >> certificate for ca > > >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Creating a new > > >> SSL certificate request for ... > > >> Jun 18 16:10:41 ip-10-242-62-183 puppet-agent[1001]: Certificate > > >> Request fingerprint (md5): 6A:3F:63:8A:59:2C:F6:C9:5E:56:5F:39:16:FF: > > >> 19:BE > > > >> Puppet-Master: > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:39 +0200] "GET /production/ > > >> certificate_request/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "PUT /production/ > > >> certificate_request/a.b.c.d HTTP/1.1" 200 2202 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:42 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:10:43 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:03 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:04 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:26 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > >> puppet:443 a.b.c.d - - [18/Jun/2011:18:11:48 +0200] "GET /production/ > > >> certificate/a.b.c.d HTTP/1.1" 404 2298 "-" "-" > > > >> Regards > > >> Markus > > > > -- > > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > > To post to this group, send email to puppet-users@googlegroups.com. > > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.