Puppet users - Nov 2007 - puppetrun failing: "connect'': tlsv1 alert unknown ca"

I''m trying to get puppetrun to work, without luck so far.

I have my puppetmaster and clients working fine with the clients polling
the master. Now I want to be able to force an update. Using version
0.23.2

On the client I set listen=true and created the namespaceauth.conf file.
Restarted puppetd and it appears fine.

On the master I run puppetrun as root and get

root@plane:/etc/puppet# puppetrun  --debug --host planevm1
debug: Parsing /etc/puppet/puppet.conf
debug: Puppet::Network::Client::Runner: defining puppetrunner.run
/usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert unknown ca
(OpenSSL::SSL::SSLError)
        from /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
        from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
        from /usr/lib/ruby/1.8/net/http.rb:548:in `start''
        from /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in
''start''
        from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in
`initialize''
        from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in
`initialize''
        from /usr/sbin/puppetrun:347:in `new''
        from /usr/sbin/puppetrun:347
        from /usr/sbin/puppetrun:339:in `fork''
        from /usr/sbin/puppetrun:339
planevm1 finished with exit code 1
Failed: planevm1

If I run it as a user I get:

snemetz@plane:/usr/sbin$ ./puppetrun --debug --host planevm1
debug: Puppet::Network::Client::Runner: defining puppetrunner.run
warning: peer certificate won''t be verified in this SSL session
Triggering planevm1
debug: Calling puppetrunner.run
err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500
Internal Server Error >
Host planevm1 failed: HTTP-Error: 500 Internal Server Error 
planevm1 finished with exit code 2
Failed: planevm1

and on the client I get a denying unauthenticated client, as I would
expect. But at least it shows that the client is listening.

I know I need to run this as root. Any ideas on what is wrong?

Thanks,

Steven

On Nov 27, 2007, at 7:10 PM, Steven Nemetz wrote:
> I''m trying to get puppetrun to work, without luck so far.
>
> I have my puppetmaster and clients working fine with the clients  
> polling
> the master. Now I want to be able to force an update. Using version
> 0.23.2
>
> On the client I set listen=true and created the namespaceauth.conf  
> file.
> Restarted puppetd and it appears fine.
>
> On the master I run puppetrun as root and get
>
> root@plane:/etc/puppet# puppetrun  --debug --host planevm1
> debug: Parsing /etc/puppet/puppet.conf
> debug: Puppet::Network::Client::Runner: defining puppetrunner.run
> /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert
unknown ca
> (OpenSSL::SSL::SSLError)
>         from /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
>         from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
>         from /usr/lib/ruby/1.8/net/http.rb:548:in `start''
>         from /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in
> ''start''
>         from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in
> `initialize''
>         from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in
> `initialize''
>         from /usr/sbin/puppetrun:347:in `new''
>         from /usr/sbin/puppetrun:347
>         from /usr/sbin/puppetrun:339:in `fork''
>         from /usr/sbin/puppetrun:339
> planevm1 finished with exit code 1
> Failed: planevm1
> [...]
> I know I need to run this as root. Any ideas on what is wrong?
Is there any chance puppetrun isn''t finding the configuration file  
you''re using for the rest of your executables?  That is, are you  
still using something like puppetd.conf with special ssldir settings,  
rather than puppet.conf?

If you run both puppetrun and puppetmasterd as root with ''-- 
configprint ssldir'', do you get the same values?

  --
  I don''t deserve this award, but I have arthritis and I don''t
deserve
  that either.    -- Jack Benny
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

> Message: 5
> Date: Wed, 28 Nov 2007 11:21:58 -0600
> From: Luke Kanies <luke@madstop.com>
> Subject: Re: [Puppet-users] puppetrun failing: "connect'':
tlsv1 alert
> 	unknown ca"
> 
> On Nov 27, 2007, at 7:10 PM, Steven Nemetz wrote:
> 
> > I''m trying to get puppetrun to work, without luck so far.
> >
> > I have my puppetmaster and clients working fine with the clients
> > polling
> > the master. Now I want to be able to force an update. Using version
> > 0.23.2
> >
> > On the client I set listen=true and created the namespaceauth.conf
> > file.
> > Restarted puppetd and it appears fine.
> >
> > On the master I run puppetrun as root and get
> >
> > root@plane:/etc/puppet# puppetrun  --debug --host planevm1
> > debug: Parsing /etc/puppet/puppet.conf
> > debug: Puppet::Network::Client::Runner: defining puppetrunner.run
> > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert
unknown
ca
> > (OpenSSL::SSL::SSLError)
> >         from /usr/lib/ruby/1.8/net/http.rb:586:in `connect''
> >         from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start''
> >         from /usr/lib/ruby/1.8/net/http.rb:548:in `start''
> >         from
/usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in
> > ''start''
> >         from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in
> > `initialize''
> >         from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in
> > `initialize''
> >         from /usr/sbin/puppetrun:347:in `new''
> >         from /usr/sbin/puppetrun:347
> >         from /usr/sbin/puppetrun:339:in `fork''
> >         from /usr/sbin/puppetrun:339
> > planevm1 finished with exit code 1
> > Failed: planevm1
> > [...]
> > I know I need to run this as root. Any ideas on what is wrong?
> 
> Is there any chance puppetrun isn''t finding the configuration file
> you''re using for the rest of your executables?  That is, are you
> still using something like puppetd.conf with special ssldir settings,
> rather than puppet.conf?
> 
> If you run both puppetrun and puppetmasterd as root with ''--
> configprint ssldir'', do you get the same values?
> 
>   --
>   I don''t deserve this award, but I have arthritis and I
don''t deserve
>   that either.    -- Jack Benny
>
---------------------------------------------------------------------
>   Luke Kanies | http://reductivelabs.com | http://madstop.com
> 
That''s it, now I just need to figure out why.

Puppetmasterd returns "/var/lib/puppet/ssl"
Puppetrun just says "Finished"

But when I run "puppetrun --debug --host planevm1", I get:
	debug: Parsing /etc/puppet/puppet.conf
which is the same file that puppetmasterd & puppetd are using. So it
should have the same information. The file does set ssldir.

Thanks,
Steven

> -----Original Message-----
> From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> bounces@madstop.com] On Behalf Of Steven Nemetz
> Sent: Wednesday, November 28, 2007 10:17 AM
> To: puppet-users@madstop.com
> Subject: Re: [Puppet-users] puppetrun failing: "connect'':
tlsv1
> alertunknown ca"
> 
> > > [...]
> > >
> > > On the master I run puppetrun as root and get
> > >
> > > root@plane:/etc/puppet# puppetrun  --debug --host planevm1
> > > debug: Parsing /etc/puppet/puppet.conf
> > > debug: Puppet::Network::Client::Runner: defining puppetrunner.run
> > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1
alert
unknown
> ca
> > > (OpenSSL::SSL::SSLError)
> > >         from /usr/lib/ruby/1.8/net/http.rb:586:in
`connect''
> > >         from /usr/lib/ruby/1.8/net/http.rb:553:in
`do_start''
> > >         from /usr/lib/ruby/1.8/net/http.rb:548:in
`start''
> > >         from
> /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in
> > > ''start''
> > >         from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in
> > > `initialize''
> > >         from
/usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in
> > > `initialize''
> > >         from /usr/sbin/puppetrun:347:in `new''
> > >         from /usr/sbin/puppetrun:347
> > >         from /usr/sbin/puppetrun:339:in `fork''
> > >         from /usr/sbin/puppetrun:339
> > > planevm1 finished with exit code 1
> > > Failed: planevm1
> > > [...]
> > > I know I need to run this as root. Any ideas on what is wrong?
> >
> > Is there any chance puppetrun isn''t finding the configuration
file
> > you''re using for the rest of your executables?  That is, are
you
> > still using something like puppetd.conf with special ssldir
settings,
> > rather than puppet.conf?
> >
> > If you run both puppetrun and puppetmasterd as root with ''--
> > configprint ssldir'', do you get the same values?
> >
> ---------------------------------------------------------------------
> >   Luke Kanies | http://reductivelabs.com | http://madstop.com
> 
> That''s it, now I just need to figure out why.
> 
> Puppetmasterd returns "/var/lib/puppet/ssl"
> Puppetrun just says "Finished"
> 
> But when I run "puppetrun --debug --host planevm1", I get:
> 	debug: Parsing /etc/puppet/puppet.conf
> which is the same file that puppetmasterd & puppetd are using. So it
> should have the same information. The file does set ssldir.
> 
I''m beginning to think that there is something else wrong. With
puppetun, I can use --configprint to ask for any variable, but it
doesn''t respond to anything even if I set the variable on the command
line. If I set ssldir on the command line, debug shows that is
overriding the config file, but it doesn''t change any of the error
messages.

Thanks,

Steven

On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote:
> I''m beginning to think that there is something else wrong. With
> puppetun, I can use --configprint to ask for any variable, but it
> doesn''t respond to anything even if I set the variable on the
command
> line. If I set ssldir on the command line, debug shows that is
> overriding the config file, but it doesn''t change any of the error
> messages.
Having just looked at puppetrun, it apparently doesn''t respond to  
configprint.

The main thing is knowing that they''re pulling from the same config  
file.

Hopefully someone else with it working can help you resolve it...?

I''m kinda slammed trying to get this release out.

  --
  The easiest way for your children to learn about money is for you
  not to have any.    -- Katharine Whitehorn
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com

> -----Original Message-----
> From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> bounces@madstop.com] On Behalf Of Luke Kanies
> Sent: Wednesday, November 28, 2007 12:22 PM
> To: Puppet User Discussion
> Subject: Re: [Puppet-users] puppetrun failing: "connect'':
tlsv1
> alertunknownca"
> 
> On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote:
> 
> > I''m beginning to think that there is something else wrong.
With
> > puppetun, I can use --configprint to ask for any variable, but it
> > doesn''t respond to anything even if I set the variable on the
command
> > line. If I set ssldir on the command line, debug shows that is
> > overriding the config file, but it doesn''t change any of the
error
> > messages.
> 
> Having just looked at puppetrun, it apparently doesn''t respond to
> configprint.
> 
> The main thing is knowing that they''re pulling from the same
config
> file.
> 
> Hopefully someone else with it working can help you resolve it...?
> 
> I''m kinda slammed trying to get this release out.
> 
>   --
>   The easiest way for your children to learn about money is for you
>   not to have any.    -- Katharine Whitehorn
>
---------------------------------------------------------------------
>   Luke Kanies | http://reductivelabs.com | http://madstop.com
> 
Thanks for looking at it. I understand you''re busy.

A little more info that might give someone an idea.
On the puppetmaster, I also have puppetd running. If I use puppetrun to
trigger the local puppetd, it works. I just get the errors when I try to
trigger a remote client.

Thanks,
Steven

On my systems when I do:

strace puppetrun 2>&1 | egrep ''^open'' | tail

The config file is the last file to be opened by puppetrun,  that will
tell you for sure which config file is being used.

I get:

open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",
O_RDONLY) = 3
open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",
O_RDONLY) = 3
open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/scope.rb", O_RDONLY) =
3
open("/usr/lib/ruby/site_ruby/1.8/puppet/network/client.rb", O_RDONLY)
= 3
open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3
open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3
open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 3
open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5
open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5
open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 5

Thanks
Brian

On Nov 28, 2007 1:11 PM, Steven Nemetz <snemetz@proofpoint.com>
wrote:
>
>
> > -----Original Message-----
> > From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> > bounces@madstop.com] On Behalf Of Luke Kanies
> > Sent: Wednesday, November 28, 2007 12:22 PM
> > To: Puppet User Discussion
> > Subject: Re: [Puppet-users] puppetrun failing:
"connect'': tlsv1
> > alertunknownca"
> >
> > On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote:
> >
> > > I''m beginning to think that there is something else
wrong. With
> > > puppetun, I can use --configprint to ask for any variable, but it
> > > doesn''t respond to anything even if I set the variable
on the
> command
> > > line. If I set ssldir on the command line, debug shows that is
> > > overriding the config file, but it doesn''t change any of
the error
> > > messages.
> >
> > Having just looked at puppetrun, it apparently doesn''t
respond to
> > configprint.
> >
> > The main thing is knowing that they''re pulling from the same
config
> > file.
> >
> > Hopefully someone else with it working can help you resolve it...?
> >
> > I''m kinda slammed trying to get this release out.
> >
> >   --
> >   The easiest way for your children to learn about money is for you
> >   not to have any.    -- Katharine Whitehorn
> >
> ---------------------------------------------------------------------
> >   Luke Kanies | http://reductivelabs.com | http://madstop.com
> >
>
> Thanks for looking at it. I understand you''re busy.
>
> A little more info that might give someone an idea.
> On the puppetmaster, I also have puppetd running. If I use puppetrun to
> trigger the local puppetd, it works. I just get the errors when I try to
> trigger a remote client.
>
> Thanks,
> Steven
>
> _______________________________________________
> Puppet-users mailing list
> Puppet-users@madstop.com
> https://mail.madstop.com/mailman/listinfo/puppet-users
>

It is definitely using the correct config file /etc/puppet/puppet.conf
The only real different between our strace results, Is that your''s
opened the config file twice, where mine only opened it once. But that
could just be different versions of puppet. I''m using 0.23.2

Thanks,
Steven
> -----Original Message-----
> From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> bounces@madstop.com] On Behalf Of Brian Finney
> Sent: Wednesday, November 28, 2007 5:54 PM
> To: Puppet User Discussion
> Subject: Re: [Puppet-users] puppetrun failing: "connect'':
> tlsv1alertunknownca"
> 
> On my systems when I do:
> 
> strace puppetrun 2>&1 | egrep ''^open'' | tail
> 
> The config file is the last file to be opened by puppetrun,  that will
> tell you for sure which config file is being used.
> 
> I get:
> 
>
open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",
> O_RDONLY) = 3
>
open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",
> O_RDONLY) = 3
> open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/scope.rb",
O_RDONLY) 3
> open("/usr/lib/ruby/site_ruby/1.8/puppet/network/client.rb",
O_RDONLY)
= 3
> open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3
> open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3
> open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 3
> open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5
> open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5
> open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 5
> 
> Thanks
> Brian
> 
> On Nov 28, 2007 1:11 PM, Steven Nemetz <snemetz@proofpoint.com>
wrote:
> >
> >
> > > -----Original Message-----
> > > From: puppet-users-bounces@madstop.com [mailto:puppet-users-
> > > bounces@madstop.com] On Behalf Of Luke Kanies
> > > Sent: Wednesday, November 28, 2007 12:22 PM
> > > To: Puppet User Discussion
> > > Subject: Re: [Puppet-users] puppetrun failing:
"connect'': tlsv1
> > > alertunknownca"
> > >
> > > On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote:
> > >
> > > > I''m beginning to think that there is something else
wrong. With
> > > > puppetun, I can use --configprint to ask for any variable,
but
it
> > > > doesn''t respond to anything even if I set the
variable on the
> > command
> > > > line. If I set ssldir on the command line, debug shows that
is
> > > > overriding the config file, but it doesn''t change
any of the
error
> > > > messages.
> > >
> > > Having just looked at puppetrun, it apparently doesn''t
respond to
> > > configprint.
> > >
> > > The main thing is knowing that they''re pulling from the
same
config
> > > file.
> > >
> > > Hopefully someone else with it working can help you resolve
it...?
> > >
> > > I''m kinda slammed trying to get this release out.
> > >
> > >   --
> > >   The easiest way for your children to learn about money is for
you
> > >   not to have any.    -- Katharine Whitehorn
> > >
> >
---------------------------------------------------------------------
> > >   Luke Kanies | http://reductivelabs.com | http://madstop.com
> > >
> >
> > Thanks for looking at it. I understand you''re busy.
> >
> > A little more info that might give someone an idea.
> > On the puppetmaster, I also have puppetd running. If I use puppetrun
to
> > trigger the local puppetd, it works. I just get the errors when I
try to
> > trigger a remote client.
> >
> > Thanks,
> > Steven
> >