Puppet users - Apr 2007 - signing certs

I noticed a behaviour which is kind of confusing. I have the puppetmasterd 
running. Now I want a new client to connect. I edit the site.pp and add 
the client. When the client is started I can see it with puppetca --list. 
So I sign the client. When it next tries to connect it shows:
notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted access 
to CA methods
notice: Host unknown.example.com has a waiting certificate request
notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted access 
to CA methods
info: Not replacing existing request from unknown.example.com
notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted access 
to CA methods
info: Retrieving existing certificate for unknown.example.com
err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y) cannot 
call puppetmaster.getconfig
err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y) cannot 
call puppetmaster.getconfig

Then I make a puppetca --clean <client_cert>. After that I restart the 
client and suddenly it works:
debug: Overriding ::ffff:192.168.x.y with cert name unknown.example.com
debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted access to 
puppetmaster.getconfig
debug: Our client is remote
notice: Reloading files
debug: importing ''client.pp''
info: Parsed manifest in 0.20 seconds
info: Found unknown in /etc/puppet/manifests/site.pp
notice: Compiled configuration for unknown.example.com in 0.24 seconds
debug: Overriding ::ffff:192.168.x.y with cert name unknown.example.com
debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted access to 
fileserver.describe

- Frank
__________________

Investitionsbank Berlin
Anstalt des öffentlichen Rechts
Bundesallee 210 · 10719 Berlin
Sitz: Berlin · Reg.-Nr. HR A 35566 · Amtsgericht Charlottenburg

Mit den IBBnews, den KonjunkturNews und den InnoNews bietet die Investitionsbank
Berlin Ihnen einen kompetenten Informationsservice zu speziellen Themen an.
Sichern Sie sich Ihren Informationsvorsprung, abonnieren Sie kostenlos unsere
Newsletter unter http://www.ibb.de.



_______________________________________________
Puppet-users mailing list
Puppet-users@madstop.com
https://mail.madstop.com/mailman/listinfo/puppet-users

On Apr 5, 2007, at 7:32 AM, frank.proessdorf@ibb.de wrote:
>
> I noticed a behaviour which is kind of confusing. I have the  
> puppetmasterd running. Now I want a new client to connect. I edit  
> the site.pp and add the client. When the client is started I can  
> see it with puppetca --list. So I sign the client. When it next  
> tries to connect it shows:
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> notice: Host unknown.example.com has a waiting certificate request
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> info: Not replacing existing request from unknown.example.com
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> info: Retrieving existing certificate for unknown.example.com
> err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y)  
> cannot call puppetmaster.getconfig
> err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y)  
> cannot call puppetmaster.getconfig
>
> Then I make a puppetca --clean <client_cert>. After that I restart  
> the client and suddenly it works:
> debug: Overriding ::ffff:192.168.x.y with cert name  
> unknown.example.com
> debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted  
> access to puppetmaster.getconfig
> debug: Our client is remote
> notice: Reloading files
> debug: importing ''client.pp''
> info: Parsed manifest in 0.20 seconds
> info: Found unknown in /etc/puppet/manifests/site.pp
> notice: Compiled configuration for unknown.example.com in 0.24 seconds
> debug: Overriding ::ffff:192.168.x.y with cert name  
> unknown.example.com
> debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted  
> access to fileserver.describe
I expect if you just restarted the client, without doing --clean on  
the server, it would work.  Can you confirm that?

Both 0.22.2 and 0.22.3 have small but important bugs in the code for  
retrieving certificates and using them in a single run,  
unfortunately.  I should probably release 0.22.4 just to fix this  
problem, I guess.

  --
  The easiest way to figure the cost of living is to take your income  
and
  add ten percent.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com