I think I really hosed my certificates somehow this morning trying to get PuppetDB and Puppet talking again -- here''s where I stand. My Puppet master and PuppetDB are again talking, or at least, aren''t complaining about communication. From my puppet master, I can run "puppet agent -t", and it runs just fine. From any other node on which puppet had been running, I get this: # puppet agent -t Error: Could not request certificate: Connection refused - connect(2) Exiting; failed to retrieve certificate and waitforcert is disabled # Now, I have auto-signing enabled (my systems are on a private network) and when I go to my master: # puppet cert list # There''s nothing. Nothing in the logs. No one is talking to my puppetmaster this morning. I *did* delete a bunch of certs in my flailing attempts to get puppet & puppetdb talking and suspect that may be the cause; but how can I get my remote agents talking to the puppet master again? Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Are you sure the master is running? This: Error: Could not request certificate: Connection refused - connect(2) seems like it might not be listening. On Wed, Feb 6, 2013 at 7:44 AM, Bret Wortman <bret@thewortmans.org> wrote:> I think I really hosed my certificates somehow this morning trying to get > PuppetDB and Puppet talking again -- here''s where I stand. > > My Puppet master and PuppetDB are again talking, or at least, aren''t > complaining about communication. > > From my puppet master, I can run "puppet agent -t", and it runs just fine. > > From any other node on which puppet had been running, I get this: > > # puppet agent -t > Error: Could not request certificate: Connection refused - connect(2) > Exiting; failed to retrieve certificate and waitforcert is disabled > # > > Now, I have auto-signing enabled (my systems are on a private network) and > when I go to my master: > > # puppet cert list > # > > There''s nothing. Nothing in the logs. No one is talking to my puppetmaster > this morning. > > I *did* delete a bunch of certs in my flailing attempts to get puppet & > puppetdb talking and suspect that may be the cause; but how can I get my > remote agents talking to the puppet master again? > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- GVoice: 707.410.0371 LinkedIn: http://www.linkedin.com/in/brendanobra -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Yeah, It is running (though I had been assuming that -- thanks for prompting me to check!); "puppet agent -t" works when run on the master, but only there. And I can see the requests hitting in the /var/log/puppet/masterhttp.log file: [2013-02-06 12:04:55] nodename.my.net - - [06/Feb/2013:12:04:55 EST] "GET /production/certificate/nodename.my.net? HTTP/1.1" 404 40 [2013-02-06 12:04:55] - -> /production/certificate/nodename.my.net? It''s absolutely right that the cert doesn''t exist yet -- the client should be requesting one (since I deleted the one it had both on the that node and on the server via puppet cert clean) but that request isn''t getting through, it seems. On Wednesday, February 6, 2013 12:01:43 PM UTC-5, Brendan O''Bra wrote:> > Are you sure the master is running? > This: > Error: Could not request certificate: Connection refused - connect(2) > seems like it might not be listening. > > > On Wed, Feb 6, 2013 at 7:44 AM, Bret Wortman <br...@thewortmans.org<javascript:> > > wrote: > >> I think I really hosed my certificates somehow this morning trying to get >> PuppetDB and Puppet talking again -- here''s where I stand. >> >> My Puppet master and PuppetDB are again talking, or at least, aren''t >> complaining about communication. >> >> From my puppet master, I can run "puppet agent -t", and it runs just fine. >> >> From any other node on which puppet had been running, I get this: >> >> # puppet agent -t >> Error: Could not request certificate: Connection refused - connect(2) >> Exiting; failed to retrieve certificate and waitforcert is disabled >> # >> >> Now, I have auto-signing enabled (my systems are on a private network) >> and when I go to my master: >> >> # puppet cert list >> # >> >> There''s nothing. Nothing in the logs. No one is talking to my >> puppetmaster this morning. >> >> I *did* delete a bunch of certs in my flailing attempts to get puppet & >> puppetdb talking and suspect that may be the cause; but how can I get my >> remote agents talking to the puppet master again? >> >> Thanks. >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > > > > -- > GVoice: 707.410.0371 > LinkedIn: http://www.linkedin.com/in/brendanobra > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
I should add that shortly thereafter, webrick reports this:
[2013-02-06 12:06:45] ERROR OpenSSL::SSL::SSLError: SSL_accept returned=1
errno=0 state=SSLv3 read client certificate A: sslv3 alert certificate
revoked
/usr/share/ruby/vendor_ruby/puppet/network/http/webrick.rb:32:in
`accept''
/usr/share/ruby/vendor_ruby/puppet/network/http/webrick.rb:32:in `block
(3 levels) in listen''
/usr/share/ruby/webrick/server.rb:191:in `call''
/usr/share/ruby/webrick/server.rb:191:in `block in start_thread''
This repeats quite a few times before stopping.
On Wednesday, February 6, 2013 12:07:43 PM UTC-5, Bret Wortman
wrote:>
> Yeah, It is running (though I had been assuming that -- thanks for
> prompting me to check!); "puppet agent -t" works when run on the
master,
> but only there. And I can see the requests hitting in the
> /var/log/puppet/masterhttp.log file:
>
> [2013-02-06 12:04:55] nodename.my.net - - [06/Feb/2013:12:04:55 EST]
"GET
> /production/certificate/nodename.my.net? HTTP/1.1" 404 40
> [2013-02-06 12:04:55] - -> /production/certificate/nodename.my.net?
>
> It''s absolutely right that the cert doesn''t exist yet --
the client should
> be requesting one (since I deleted the one it had both on the that node and
> on the server via puppet cert clean) but that request isn''t
getting
> through, it seems.
>
>
>
> On Wednesday, February 6, 2013 12:01:43 PM UTC-5, Brendan O''Bra
wrote:
>>
>> Are you sure the master is running?
>> This:
>> Error: Could not request certificate: Connection refused - connect(2)
>> seems like it might not be listening.
>>
>>
>> On Wed, Feb 6, 2013 at 7:44 AM, Bret Wortman
<br...@thewortmans.org>wrote:
>>
>>> I think I really hosed my certificates somehow this morning trying
to
>>> get PuppetDB and Puppet talking again -- here''s where I
stand.
>>>
>>> My Puppet master and PuppetDB are again talking, or at least,
aren''t
>>> complaining about communication.
>>>
>>> From my puppet master, I can run "puppet agent -t", and
it runs just
>>> fine.
>>>
>>> From any other node on which puppet had been running, I get this:
>>>
>>> # puppet agent -t
>>> Error: Could not request certificate: Connection refused -
connect(2)
>>> Exiting; failed to retrieve certificate and waitforcert is disabled
>>> #
>>>
>>> Now, I have auto-signing enabled (my systems are on a private
network)
>>> and when I go to my master:
>>>
>>> # puppet cert list
>>> #
>>>
>>> There''s nothing. Nothing in the logs. No one is talking to
my
>>> puppetmaster this morning.
>>>
>>> I *did* delete a bunch of certs in my flailing attempts to get
puppet &
>>> puppetdb talking and suspect that may be the cause; but how can I
get my
>>> remote agents talking to the puppet master again?
>>>
>>> Thanks.
>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Puppet Users" group.
>>> To unsubscribe from this group and stop receiving emails from it,
send
>>> an email to puppet-users...@googlegroups.com.
>>> To post to this group, send email to puppet...@googlegroups.com.
>>> Visit this group at
http://groups.google.com/group/puppet-users?hl=en.
>>> For more options, visit https://groups.google.com/groups/opt_out.
>>>
>>>
>>>
>>
>>
>>
>> --
>> GVoice: 707.410.0371
>> LinkedIn: http://www.linkedin.com/in/brendanobra
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Did you try removing the cert from a node and seeing if that changes the behavior? you removed the certs from the master, but the node still thinks it has a valid cert maybe? ________________________________ This message may contain confidential or privileged information. If you are not the intended recipient, please advise us immediately and delete this message. See http://www.datapipe.com/legal/email_disclaimer/ for further information on confidentiality and the risks of non-secure electronic communication. If you cannot access these links, please notify us by reply message and we will send the contents to you. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
My test node doesn''t have its certs either. I''ve now started puppetmaster in verbose mode: # puppet master --no-daemonize --verbose : : : Info: Could not find certificate for ''nodename.my.net'' Info: Could not find certificate for ''nodename.my.net'' Info: Could not find certificate for ''nodename.my.net'' This will repeat three times whenever I try to connect. For another node that tried to connect while I was testing, I get something more sinister: Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) access to /file_metadata/plugins [search] at :99 Error: Forbidden request: othernode.my.net(10.0.0.1) access to /file_metadata/plugins [search] at :99 Info: access[/]: defaulting to no access for othernode.my.net Also repeating four times; one [search], two [find]s and a [save]. On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote:> > Did you try removing the cert from a node and seeing if that changes the > behavior? you removed the certs from the master, but the node still thinks > it has a valid cert maybe? > > > ________________________________ > > This message may contain confidential or privileged information. If you > are not the intended recipient, please advise us immediately and delete > this message. See http://www.datapipe.com/legal/email_disclaimer/ for > further information on confidentiality and the risks of non-secure > electronic communication. If you cannot access these links, please notify > us by reply message and we will send the contents to you. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
I suspect your clients are talking to a different puppetmaster than you think they are. Test with an explicit --server and see if it changes. tcpdump is your friend. On Feb 6, 2013, at 7:44 AM, Bret Wortman wrote:> I think I really hosed my certificates somehow this morning trying to get PuppetDB and Puppet talking again -- here''s where I stand. > > My Puppet master and PuppetDB are again talking, or at least, aren''t complaining about communication. > > From my puppet master, I can run "puppet agent -t", and it runs just fine. > > From any other node on which puppet had been running, I get this: > > # puppet agent -t > Error: Could not request certificate: Connection refused - connect(2) > Exiting; failed to retrieve certificate and waitforcert is disabled > # > > Now, I have auto-signing enabled (my systems are on a private network) and when I go to my master: > > # puppet cert list > # > > There''s nothing. Nothing in the logs. No one is talking to my puppetmaster this morning. > > I *did* delete a bunch of certs in my flailing attempts to get puppet & puppetdb talking and suspect that may be the cause; but how can I get my remote agents talking to the puppet master again? > > Thanks. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > >-- Jo Rhett Net Consonance : net philanthropy to improve open source and internet projects. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
If a brand new never-seen-before agent starts up, it goes like this: * Do I have a private key? Nope? Better generate one. * Okay, do I have a certificate? Nope? See if the master already has one for me. This looks like a GET request to /certificate/<node name>. * If it gets one, it''s good to go. * Master didn''t give me a cert. Okay, have I submitted a certificate signing request before? Look in $ssldir/certificate_requests for my own name. * If there''s one there, it bails and waits, assuming it''s waiting for the master to sign that thing. * Okay, there''s nothing there, but maybe I developed amnesia. Better ask the master if I''ve asked for one. This looks like a GET request to /certificate_request/<node name>. * If the master says it''s already asked, it will just bail and say "I''m still waiting for that." * Okay, I never even asked for a cert, it looks like. Well, time to ask for one. This looks like a PUT request to /certificate_request/<node name>. * Now if autosign is turned on, it can GET /certificate/<node name> and continue; otherwise it''ll bail and go through this whole process again next time, in which case it says "yes I have a private key, no I don''t have a cert" and gets to work on the second step above. What I''m seeing in that snippet from your log is that it seems to think it has submitted a certificate request before. I just tested with my own machines, and it looks like if your agent still has a $ssldir/certificate_requests/name.pem file sitting around (and crucially, it doesn''t automatically destroy these when it gets a cert, so if it used to have a cert and you didn''t nuke the whole SSLdir, it''s probably there), it asks for a cert but doesn''t ask the master if it''s ever asked for a cert. So check that certificate_requests dir and nuke it if there''s anything there, then get back to us? On Wednesday, February 6, 2013 10:23:28 AM UTC-8, Bret Wortman wrote:> > My test node doesn''t have its certs either. > > I''ve now started puppetmaster in verbose mode: > > # puppet master --no-daemonize --verbose > : > : > : > Info: Could not find certificate for ''nodename.my.net'' > Info: Could not find certificate for ''nodename.my.net'' > Info: Could not find certificate for ''nodename.my.net'' > > This will repeat three times whenever I try to connect. For another node > that tried to connect while I was testing, I get something more sinister: > > Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) > access to /file_metadata/plugins [search] at :99 > Error: Forbidden request: othernode.my.net(10.0.0.1) access to > /file_metadata/plugins [search] at :99 > Info: access[/]: defaulting to no access for othernode.my.net > > Also repeating four times; one [search], two [find]s and a [save]. > > > On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote: >> >> Did you try removing the cert from a node and seeing if that changes the >> behavior? you removed the certs from the master, but the node still thinks >> it has a valid cert maybe? >> >> >> ________________________________ >> >> This message may contain confidential or privileged information. If you >> are not the intended recipient, please advise us immediately and delete >> this message. See http://www.datapipe.com/legal/email_disclaimer/ for >> further information on confidentiality and the risks of non-secure >> electronic communication. If you cannot access these links, please notify >> us by reply message and we will send the contents to you. >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
It was this problem. After nuking the /var/lib/puppet/ssl directory, it re-synced with the server just fine. Thanks! On Friday, February 8, 2013 6:58:22 PM UTC-5, Nick Fagerlund wrote:> > If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it''s good to go. > * Master didn''t give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there''s one there, it bails and waits, assuming it''s waiting for > the master to sign that thing. > * Okay, there''s nothing there, but maybe I developed amnesia. Better ask > the master if I''ve asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it''s already asked, it will just bail and say "I''m > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask > for one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it''ll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don''t have a > cert" and gets to work on the second step above. > > What I''m seeing in that snippet from your log is that it seems to think it > has submitted a certificate request before. I just tested with my own > machines, and it looks like if your agent still has a > $ssldir/certificate_requests/name.pem file sitting around (and crucially, > it doesn''t automatically destroy these when it gets a cert, so if it used > to have a cert and you didn''t nuke the whole SSLdir, it''s probably there), > it asks for a cert but doesn''t ask the master if it''s ever asked for a > cert. > > So check that certificate_requests dir and nuke it if there''s anything > there, then get back to us? > > On Wednesday, February 6, 2013 10:23:28 AM UTC-8, Bret Wortman wrote: >> >> My test node doesn''t have its certs either. >> >> I''ve now started puppetmaster in verbose mode: >> >> # puppet master --no-daemonize --verbose >> : >> : >> : >> Info: Could not find certificate for ''nodename.my.net'' >> Info: Could not find certificate for ''nodename.my.net'' >> Info: Could not find certificate for ''nodename.my.net'' >> >> This will repeat three times whenever I try to connect. For another node >> that tried to connect while I was testing, I get something more sinister: >> >> Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) >> access to /file_metadata/plugins [search] at :99 >> Error: Forbidden request: othernode.my.net(10.0.0.1) access to >> /file_metadata/plugins [search] at :99 >> Info: access[/]: defaulting to no access for othernode.my.net >> >> Also repeating four times; one [search], two [find]s and a [save]. >> >> >> On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote: >>> >>> Did you try removing the cert from a node and seeing if that changes the >>> behavior? you removed the certs from the master, but the node still thinks >>> it has a valid cert maybe? >>> >>> >>> ________________________________ >>> >>> This message may contain confidential or privileged information. If you >>> are not the intended recipient, please advise us immediately and delete >>> this message. See http://www.datapipe.com/legal/email_disclaimer/ for >>> further information on confidentiality and the risks of non-secure >>> electronic communication. If you cannot access these links, please notify >>> us by reply message and we will send the contents to you. >>> >>-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
On Friday, February 8, 2013 11:58:22 PM UTC, Nick Fagerlund wrote:> If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it''s good to go. > * Master didn''t give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there''s one there, it bails and waits, assuming it''s waiting for > the master to sign that thing. > * Okay, there''s nothing there, but maybe I developed amnesia. Better ask > the master if I''ve asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it''s already asked, it will just bail and say "I''m > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask > for one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it''ll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don''t have a > cert" and gets to work on the second step above. >Nick that''s a pretty awesome explanation of the handshake and corresponding REST calls. Is that written down anywhere official? Perhaps with corresponding Puppet Master / Agent log entries? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
I think this should be put somewhere in a wiki or the docs. /me referencing this email for future Best, Nikola On Fri, Feb 08, 2013 at 03:58:22PM -0800, Nick Fagerlund wrote:> If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it''s good to go. > * Master didn''t give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there''s one there, it bails and waits, assuming it''s waiting for the > master to sign that thing. > * Okay, there''s nothing there, but maybe I developed amnesia. Better ask > the master if I''ve asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it''s already asked, it will just bail and say "I''m > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask for > one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it''ll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don''t have a > cert" and gets to work on the second step above. > > What I''m seeing in that snippet from your log is that it seems to think it > has submitted a certificate request before. I just tested with my own > machines, and it looks like if your agent still has a > $ssldir/certificate_requests/name.pem file sitting around (and crucially, > it doesn''t automatically destroy these when it gets a cert, so if it used > to have a cert and you didn''t nuke the whole SSLdir, it''s probably there), > it asks for a cert but doesn''t ask the master if it''s ever asked for a > cert. > > So check that certificate_requests dir and nuke it if there''s anything > there, then get back to us? > > On Wednesday, February 6, 2013 10:23:28 AM UTC-8, Bret Wortman wrote: > > > > My test node doesn''t have its certs either. > > > > I''ve now started puppetmaster in verbose mode: > > > > # puppet master --no-daemonize --verbose > > : > > : > > : > > Info: Could not find certificate for ''nodename.my.net'' > > Info: Could not find certificate for ''nodename.my.net'' > > Info: Could not find certificate for ''nodename.my.net'' > > > > This will repeat three times whenever I try to connect. For another node > > that tried to connect while I was testing, I get something more sinister: > > > > Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) > > access to /file_metadata/plugins [search] at :99 > > Error: Forbidden request: othernode.my.net(10.0.0.1) access to > > /file_metadata/plugins [search] at :99 > > Info: access[/]: defaulting to no access for othernode.my.net > > > > Also repeating four times; one [search], two [find]s and a [save]. > > > > > > On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote: > >> > >> Did you try removing the cert from a node and seeing if that changes the > >> behavior? you removed the certs from the master, but the node still thinks > >> it has a valid cert maybe? > >> > >> > >> ________________________________ > >> > >> This message may contain confidential or privileged information. If you > >> are not the intended recipient, please advise us immediately and delete > >> this message. See http://www.datapipe.com/legal/email_disclaimer/ for > >> further information on confidentiality and the risks of non-secure > >> electronic communication. If you cannot access these links, please notify > >> us by reply message and we will send the contents to you. > >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
It was. I filed it away for future reference! * * * Bret Wortman*** http://bretwortman.com/ http://twitter.com/BretWortman On Mon, Feb 11, 2013 at 7:55 AM, Nikola Petrov <nikolavp@gmail.com> wrote:> I think this should be put somewhere in a wiki or the docs. > > > /me referencing this email for future > > Best, Nikola > > On Fri, Feb 08, 2013 at 03:58:22PM -0800, Nick Fagerlund wrote: > > If a brand new never-seen-before agent starts up, it goes like this: > > > > * Do I have a private key? Nope? Better generate one. > > * Okay, do I have a certificate? Nope? See if the master already has one > > for me. This looks like a GET request to /certificate/<node name>. > > * If it gets one, it''s good to go. > > * Master didn''t give me a cert. Okay, have I submitted a certificate > > signing request before? Look in $ssldir/certificate_requests for my own > > name. > > * If there''s one there, it bails and waits, assuming it''s waiting for > the > > master to sign that thing. > > * Okay, there''s nothing there, but maybe I developed amnesia. Better ask > > the master if I''ve asked for one. This looks like a GET request to > > /certificate_request/<node name>. > > * If the master says it''s already asked, it will just bail and say "I''m > > still waiting for that." > > * Okay, I never even asked for a cert, it looks like. Well, time to ask > for > > one. This looks like a PUT request to /certificate_request/<node name>. > > * Now if autosign is turned on, it can GET /certificate/<node name> and > > continue; otherwise it''ll bail and go through this whole process again > next > > time, in which case it says "yes I have a private key, no I don''t have a > > cert" and gets to work on the second step above. > > > > What I''m seeing in that snippet from your log is that it seems to think > it > > has submitted a certificate request before. I just tested with my own > > machines, and it looks like if your agent still has a > > $ssldir/certificate_requests/name.pem file sitting around (and crucially, > > it doesn''t automatically destroy these when it gets a cert, so if it used > > to have a cert and you didn''t nuke the whole SSLdir, it''s probably > there), > > it asks for a cert but doesn''t ask the master if it''s ever asked for a > > cert. > > > > So check that certificate_requests dir and nuke it if there''s anything > > there, then get back to us? > > > > On Wednesday, February 6, 2013 10:23:28 AM UTC-8, Bret Wortman wrote: > > > > > > My test node doesn''t have its certs either. > > > > > > I''ve now started puppetmaster in verbose mode: > > > > > > # puppet master --no-daemonize --verbose > > > : > > > : > > > : > > > Info: Could not find certificate for ''nodename.my.net'' > > > Info: Could not find certificate for ''nodename.my.net'' > > > Info: Could not find certificate for ''nodename.my.net'' > > > > > > This will repeat three times whenever I try to connect. For another > node > > > that tried to connect while I was testing, I get something more > sinister: > > > > > > Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) > > > access to /file_metadata/plugins [search] at :99 > > > Error: Forbidden request: othernode.my.net(10.0.0.1) access to > > > /file_metadata/plugins [search] at :99 > > > Info: access[/]: defaulting to no access for othernode.my.net > > > > > > Also repeating four times; one [search], two [find]s and a [save]. > > > > > > > > > On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote: > > >> > > >> Did you try removing the cert from a node and seeing if that changes > the > > >> behavior? you removed the certs from the master, but the node still > thinks > > >> it has a valid cert maybe? > > >> > > >> > > >> ________________________________ > > >> > > >> This message may contain confidential or privileged information. If > you > > >> are not the intended recipient, please advise us immediately and > delete > > >> this message. See http://www.datapipe.com/legal/email_disclaimer/ for > > >> further information on confidentiality and the risks of non-secure > > >> electronic communication. If you cannot access these links, please > notify > > >> us by reply message and we will send the contents to you. > > >> > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
On Monday, February 11, 2013 4:24:34 AM UTC-8, Luke Bigum wrote:> > Nick that''s a pretty awesome explanation of the handshake and > corresponding REST calls. Is that written down anywhere official? Perhaps > with corresponding Puppet Master / Agent log entries? >Good call, especially since I already knew where I wanted to put something like this. I just expanded it a bit and posted it at http://docs.puppetlabs.com/puppet/3/reference/subsystem_agent_master_comm.html -- no log entries yet, maybe we can add those some other day. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.