So,I made a stupid move this morning I''m trying to correct. While
trying to getthe puppet master to config itself, i moved its certs
sideways, and regenerated. Durring this time i did a ntp sync and
found i was about 2 seconds off. This little test failed and I
decided I had a better way to do it(manual puppet apply''s are safer
for me for this.. currently), so I put the "original" certs back in
place, and restarted. Existing clients are fine since they have signed
certs, however new clients (i cleaned a cert to "force'' a new
client)
cannot get their cert verified. The clients report time may be off,
but it is 00% in sync. Normally we autosign but I''ve disabled that for
now and its made no difference. the client cert comes in fine, and I
can sign it just fine, but its the verify on the client end that
fails:
root::wave { 10:07:25 Fri Mar 02 }
~-> puppet agent -t
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for wave.
info: Retrieving plugin
info: Caching certificate_revocation_list for ca
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using ''eval_generate: certificate verify failed. This is
often because the time is out of sync on the server or client
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
verify failed. This is often because the time is out of sync on the
server or client Could not retrieve file metadata for
puppet://provisions/plugins: certificate verify failed. This is often
because the time is out of sync on the server or client
info: Loading facts in vlan
<SNIP>
err: Could not retrieve catalog from remote server: certificate verify
failed. This is often because the time is out of sync on the server
or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: certificate verify failed. This is often
because the time is out of sync on the server or client
Any thoughts/help? I''d rather not start over and regenerate a
clean/new master cert, and have to clear client certs on everything
(about 2k systems)...
Help?
--
Matthew Nicholson
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
Furthermore I can verify the cert client side w/ the ca:
root::wave { 10:34:20 Fri Mar 02 }
~-> openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/certs/wave.pem
/var/lib/puppet/ssl/certs/wave.pem: OK
?
On Fri, Mar 2, 2012 at 10:14 AM, Matthew Nicholson
<matthew.a.nicholson@gmail.com> wrote:> So,I made a stupid move this morning I''m trying to correct. While
> trying to getthe puppet master to config itself, i moved its certs
> sideways, and regenerated. Durring this time i did a ntp sync and
> found i was about 2 seconds off. This little test failed and I
> decided I had a better way to do it(manual puppet apply''s are
safer
> for me for this.. currently), so I put the "original" certs back
in
> place, and restarted. Existing clients are fine since they have signed
> certs, however new clients (i cleaned a cert to "force'' a new
client)
> cannot get their cert verified. The clients report time may be off,
> but it is 00% in sync. Normally we autosign but I''ve disabled that
for
> now and its made no difference. the client cert comes in fine, and I
> can sign it just fine, but its the verify on the client end that
> fails:
>
> root::wave { 10:07:25 Fri Mar 02 }
> ~-> puppet agent -t
> warning: peer certificate won''t be verified in this SSL session
> info: Caching certificate for wave.
> info: Retrieving plugin
> info: Caching certificate_revocation_list for ca
> err: /File[/var/lib/puppet/lib]: Failed to generate additional
> resources using ''eval_generate: certificate verify failed. This
is
> often because the time is out of sync on the server or client
> err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
> verify failed. This is often because the time is out of sync on the
> server or client Could not retrieve file metadata for
> puppet://provisions/plugins: certificate verify failed. This is often
> because the time is out of sync on the server or client
> info: Loading facts in vlan
> <SNIP>
> err: Could not retrieve catalog from remote server: certificate verify
> failed. This is often because the time is out of sync on the server
> or client
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: certificate verify failed. This is often
> because the time is out of sync on the server or client
>
>
> Any thoughts/help? I''d rather not start over and regenerate a
> clean/new master cert, and have to clear client certs on everything
> (about 2k systems)...
>
> Help?
> --
> Matthew Nicholson
--
Matthew Nicholson
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Fri, Mar 2, 2012 at 9:07 PM, Matthew Nicholson <matthew.a.nicholson@gmail.com> wrote:> Furthermore I can verify the cert client side w/ the ca: > > root::wave { 10:34:20 Fri Mar 02 } > ~-> openssl verify -CAfile /var/lib/puppet/ssl/certs/ca.pem > /var/lib/puppet/ssl/certs/wave.pem > /var/lib/puppet/ssl/certs/wave.pem: OKMy suggestion might only be tangentially related: SSL is handled a bit differently in the newer versions of ruby, http://projects.puppetlabs.com/issues/9084 Saw these kinds of errors all days and fixed it by running the client and server in the lower version of ruby(1.8.5). Hope it helps. -- Kish --------------- krisk.wordpress.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.