I recently had a working puppet server serving around 4-5 clients. One of the clients needed to be re-built and now only that client cannot connect. puppetca --clean hostname did not work So here is what I did on both the server/client I removed /var/lib/puppet/* Then I restarted the server via puppetmasterd --mkusers --verbose I then connect in via the client with /usr/bin/ruby /usr/sbin/puppetd --server=10.100.177.5--logdest=/var/log/puppet/puppet.log --waitforcert=500 --verbose In the master my first connect i see otice: Allowing unauthenticated client njrh-tch502.fxserver.com( 10.100.177.11) access to puppetca.getcert notice: Host njrh-tch502.fxserver.com has a waiting certificate request I sign the key.. I ctrl+c out of the client and re-run it on the client I see [root@njrh-tch502 ssl]# /usr/bin/ruby /usr/sbin/puppetd --server10.100.177.5 --logdest=/var/log/puppet/puppet.log --waitforcert=500 --verbose warning: peer certificate won''t be verified in this SSL session notice: Starting Puppet client version 0.22.3 warning: peer certificate won''t be verified in this SSL session err: Could not call puppetmaster.getconfig: #<NoMethodError: private method `split'' called for nil:NilClass> err: Could not retrieve configuration: private method `split'' called for nil:NilClass err: Could not run Puppet::Network::Client::Master: Cannot connect to server and there is no cached configuration On the server i see notice: Allowing unauthenticated client njrh-tch502.domain.com(10.100.177.11) access to puppetca.getcert info: Retrieving existing certificate for njrh-tch502.domain.com notice: Denying unauthenticated client njrh-tch502.domain.com(10.100.177.11) access to puppetmaster.getconfig Then if i re-start the client from now on i see [root@njrh-tch502 ssl]# /usr/bin/ruby /usr/sbin/puppetd --server10.100.177.5 --logdest=/var/log/puppet/puppet.log --waitforcert=500 --verbose notice: Starting Puppet client version 0.22.3 err: Could not retrieve configuration: Certificates were not trusted: certificate verify failed err: Could not run Puppet::Network::Client::Master: Cannot connect to server and there is no cached configuration If i do the SAME steps on the other 3 clients it works just fine.. can anyone shed some light on this? Thanks Mike _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 4/9/07, Mike Zupan <hijinks@gmail.com> wrote:> I recently had a working puppet server serving around 4-5 clients. One of > the clients needed to be re-built and now only that client cannot connect. > > puppetca --clean hostname did not workI had, somewhat similar, cert problems on a test host that I was re-building often. Here''s what I had to do: Client -- Stop all puppet services and remove the cert directory. Master -- clean the certificate for that host Client -- start puppetd ( usually failed to daemon-ized ) Master -- sign the cert Client -- restart puppetd. If the master and client were not both completely clean and ignorant of each other it wouldn''t work. -- -- Perfection is just a word I use occasionally with mustard. --Atom Powers--
That is the very same steps I take and it still does not work.. From my understanding its an error with the client and having the wrong cert file. I don''t know why it will work for other hosts but these steps do not work for this.. there are no extra outputs from using --debug On 4/9/07, Atom Powers <atom.powers@gmail.com> wrote:> > On 4/9/07, Mike Zupan <hijinks@gmail.com> wrote: > > I recently had a working puppet server serving around 4-5 clients. One > of > > the clients needed to be re-built and now only that client cannot > connect. > > > > puppetca --clean hostname did not work > > I had, somewhat similar, cert problems on a test host that I was > re-building often. Here''s what I had to do: > > Client -- Stop all puppet services and remove the cert directory. > Master -- clean the certificate for that host > Client -- start puppetd ( usually failed to daemon-ized ) > Master -- sign the cert > Client -- restart puppetd. > > If the master and client were not both completely clean and ignorant > of each other it wouldn''t work. > > -- > -- > Perfection is just a word I use occasionally with mustard. > --Atom Powers-- > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On 4/10/07, Mike Zupan <hijinks@gmail.com> wrote:> That is the very same steps I take and it still does not work.. > > From my understanding its an error with the client and having the wrong cert > file. I don''t know why it will work for other hosts but these steps do not > work for this.. there are no extra outputs from using --debugIs the time on the client and the server in sync? I know if the time drifts too far off certs won''t work. Kent> On 4/9/07, Atom Powers <atom.powers@gmail.com> wrote: > > On 4/9/07, Mike Zupan <hijinks@gmail.com> wrote: > > > I recently had a working puppet server serving around 4-5 clients. One > of > > > the clients needed to be re-built and now only that client cannot > connect. > > > > > > puppetca --clean hostname did not work > > > > I had, somewhat similar, cert problems on a test host that I was > > re-building often. Here''s what I had to do: > > > > Client -- Stop all puppet services and remove the cert directory. > > Master -- clean the certificate for that host > > Client -- start puppetd ( usually failed to daemon-ized ) > > Master -- sign the cert > > Client -- restart puppetd. > > > > If the master and client were not both completely clean and ignorant > > of each other it wouldn''t work.
OK after some research.. It seems my RHEL5 64bit servers will not work.. but any rebuilds of rhel4 64bit will work. The difference I can tell is in ruby ruby-1.8.5-5.el5 ruby-1.8.1-7.EL4.8 Could this be the issue? thanks Mike On 4/10/07, Mike Zupan <hijinks@gmail.com> wrote:> > That is the very same steps I take and it still does not work.. > > From my understanding its an error with the client and having the wrong > cert file. I don''t know why it will work for other hosts but these steps do > not work for this.. there are no extra outputs from using --debug > >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
> Is the time on the client and the server in sync? I know if the time > drifts too far off certs won''t work. > Kent > >same here, most of the time ssl issues are impossible to solve by resseting the ssl cert this is a time sync issue. Make sure the server and the client are on the same time settings. -- Cordialement, Ghislain _______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
YES! it was a time difference. The xen rhel5 guest machines were hours aheead.. thanks for saving me more hours of headache and wonder On 4/10/07, Kenton Brede <kbrede@gmail.com> wrote:> > On 4/10/07, Mike Zupan <hijinks@gmail.com> wrote: > > That is the very same steps I take and it still does not work.. > > > > From my understanding its an error with the client and having the wrong > cert > > file. I don''t know why it will work for other hosts but these steps do > not > > work for this.. there are no extra outputs from using --debug > > Is the time on the client and the server in sync? I know if the time > drifts too far off certs won''t work. > Kent > > > On 4/9/07, Atom Powers <atom.powers@gmail.com> wrote: > > > On 4/9/07, Mike Zupan <hijinks@gmail.com> wrote: > > > > I recently had a working puppet server serving around 4-5 clients. > One > > of > > > > the clients needed to be re-built and now only that client cannot > > connect. > > > > > > > > puppetca --clean hostname did not work > > > > > > I had, somewhat similar, cert problems on a test host that I was > > > re-building often. Here''s what I had to do: > > > > > > Client -- Stop all puppet services and remove the cert directory. > > > Master -- clean the certificate for that host > > > Client -- start puppetd ( usually failed to daemon-ized ) > > > Master -- sign the cert > > > Client -- restart puppetd. > > > > > > If the master and client were not both completely clean and ignorant > > > of each other it wouldn''t work. > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >_______________________________________________ Puppet-users mailing list Puppet-users@madstop.com https://mail.madstop.com/mailman/listinfo/puppet-users
On Tue, 2007-04-10 at 08:35 -0400, Mike Zupan wrote:> OK after some research.. It seems my RHEL5 64bit servers will not > work.. but any rebuilds of rhel4 64bit will work. The difference I can > tell is in ruby > > ruby-1.8.5-5.el5 > ruby-1.8.1-7.EL4.8 > > Could this be the issue?Can you check the logs to see if there were any errors, especially backtraces ? I have 32bit RHEL5 machines that have no problem connecting; it seems unlikely, though it could be that there are problems on 64bit. David
On Tue, April 10, 2007 7:37 am, ADNET Ghislain wrote:>> > same here, most of the time ssl issues are impossible to solve by > resseting the ssl cert this is a time sync issue. Make sure the server > and the client are on the same time settings.Just so people know, this is a common enough problem that I''ve switched the CA to make certs valid from one day before they''re generated. Hopefully this will get rid of most of these problems (but please, make ntpd one of the first services managed with Puppet!). -- Luke Kanies http://reductivelabs.com