Steven Nemetz
2007-Nov-28 01:10 UTC
puppetrun failing: "connect'': tlsv1 alert unknown ca"
I''m trying to get puppetrun to work, without luck so far. I have my puppetmaster and clients working fine with the clients polling the master. Now I want to be able to force an update. Using version 0.23.2 On the client I set listen=true and created the namespaceauth.conf file. Restarted puppetd and it appears fine. On the master I run puppetrun as root and get root@plane:/etc/puppet# puppetrun --debug --host planevm1 debug: Parsing /etc/puppet/puppet.conf debug: Puppet::Network::Client::Runner: defining puppetrunner.run /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert unknown ca (OpenSSL::SSL::SSLError) from /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' from /usr/lib/ruby/1.8/net/http.rb:548:in `start'' from /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in ''start'' from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in `initialize'' from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in `initialize'' from /usr/sbin/puppetrun:347:in `new'' from /usr/sbin/puppetrun:347 from /usr/sbin/puppetrun:339:in `fork'' from /usr/sbin/puppetrun:339 planevm1 finished with exit code 1 Failed: planevm1 If I run it as a user I get: snemetz@plane:/usr/sbin$ ./puppetrun --debug --host planevm1 debug: Puppet::Network::Client::Runner: defining puppetrunner.run warning: peer certificate won''t be verified in this SSL session Triggering planevm1 debug: Calling puppetrunner.run err: Could not call puppetrunner.run: #<RuntimeError: HTTP-Error: 500 Internal Server Error > Host planevm1 failed: HTTP-Error: 500 Internal Server Error planevm1 finished with exit code 2 Failed: planevm1 and on the client I get a denying unauthenticated client, as I would expect. But at least it shows that the client is listening. I know I need to run this as root. Any ideas on what is wrong? Thanks, Steven
Luke Kanies
2007-Nov-28 17:21 UTC
Re: puppetrun failing: "connect'': tlsv1 alert unknown ca"
On Nov 27, 2007, at 7:10 PM, Steven Nemetz wrote:> I''m trying to get puppetrun to work, without luck so far. > > I have my puppetmaster and clients working fine with the clients > polling > the master. Now I want to be able to force an update. Using version > 0.23.2 > > On the client I set listen=true and created the namespaceauth.conf > file. > Restarted puppetd and it appears fine. > > On the master I run puppetrun as root and get > > root@plane:/etc/puppet# puppetrun --debug --host planevm1 > debug: Parsing /etc/puppet/puppet.conf > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert unknown ca > (OpenSSL::SSL::SSLError) > from /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' > from /usr/lib/ruby/1.8/net/http.rb:548:in `start'' > from /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in > ''start'' > from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in > `initialize'' > from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in > `initialize'' > from /usr/sbin/puppetrun:347:in `new'' > from /usr/sbin/puppetrun:347 > from /usr/sbin/puppetrun:339:in `fork'' > from /usr/sbin/puppetrun:339 > planevm1 finished with exit code 1 > Failed: planevm1 > [...] > I know I need to run this as root. Any ideas on what is wrong?Is there any chance puppetrun isn''t finding the configuration file you''re using for the rest of your executables? That is, are you still using something like puppetd.conf with special ssldir settings, rather than puppet.conf? If you run both puppetrun and puppetmasterd as root with ''-- configprint ssldir'', do you get the same values? -- I don''t deserve this award, but I have arthritis and I don''t deserve that either. -- Jack Benny --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Steven Nemetz
2007-Nov-28 18:16 UTC
Re: puppetrun failing: "connect'': tlsv1 alert unknown ca"
> Message: 5 > Date: Wed, 28 Nov 2007 11:21:58 -0600 > From: Luke Kanies <luke@madstop.com> > Subject: Re: [Puppet-users] puppetrun failing: "connect'': tlsv1 alert > unknown ca" > > On Nov 27, 2007, at 7:10 PM, Steven Nemetz wrote: > > > I''m trying to get puppetrun to work, without luck so far. > > > > I have my puppetmaster and clients working fine with the clients > > polling > > the master. Now I want to be able to force an update. Using version > > 0.23.2 > > > > On the client I set listen=true and created the namespaceauth.conf > > file. > > Restarted puppetd and it appears fine. > > > > On the master I run puppetrun as root and get > > > > root@plane:/etc/puppet# puppetrun --debug --host planevm1 > > debug: Parsing /etc/puppet/puppet.conf > > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alert unknownca> > (OpenSSL::SSL::SSLError) > > from /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > > from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' > > from /usr/lib/ruby/1.8/net/http.rb:548:in `start'' > > from/usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in> > ''start'' > > from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in > > `initialize'' > > from /usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in > > `initialize'' > > from /usr/sbin/puppetrun:347:in `new'' > > from /usr/sbin/puppetrun:347 > > from /usr/sbin/puppetrun:339:in `fork'' > > from /usr/sbin/puppetrun:339 > > planevm1 finished with exit code 1 > > Failed: planevm1 > > [...] > > I know I need to run this as root. Any ideas on what is wrong? > > Is there any chance puppetrun isn''t finding the configuration file > you''re using for the rest of your executables? That is, are you > still using something like puppetd.conf with special ssldir settings, > rather than puppet.conf? > > If you run both puppetrun and puppetmasterd as root with ''-- > configprint ssldir'', do you get the same values? > > -- > I don''t deserve this award, but I have arthritis and I don''t deserve > that either. -- Jack Benny >---------------------------------------------------------------------> Luke Kanies | http://reductivelabs.com | http://madstop.com >That''s it, now I just need to figure out why. Puppetmasterd returns "/var/lib/puppet/ssl" Puppetrun just says "Finished" But when I run "puppetrun --debug --host planevm1", I get: debug: Parsing /etc/puppet/puppet.conf which is the same file that puppetmasterd & puppetd are using. So it should have the same information. The file does set ssldir. Thanks, Steven
Steven Nemetz
2007-Nov-28 20:13 UTC
Re: puppetrun failing: "connect'': tlsv1 alertunknown ca"
> -----Original Message----- > From: puppet-users-bounces@madstop.com [mailto:puppet-users- > bounces@madstop.com] On Behalf Of Steven Nemetz > Sent: Wednesday, November 28, 2007 10:17 AM > To: puppet-users@madstop.com > Subject: Re: [Puppet-users] puppetrun failing: "connect'': tlsv1 > alertunknown ca" > > > > [...] > > > > > > On the master I run puppetrun as root and get > > > > > > root@plane:/etc/puppet# puppetrun --debug --host planevm1 > > > debug: Parsing /etc/puppet/puppet.conf > > > debug: Puppet::Network::Client::Runner: defining puppetrunner.run > > > /usr/lib/ruby/1.8/net/http.rb:586:in `connect'': tlsv1 alertunknown> ca > > > (OpenSSL::SSL::SSLError) > > > from /usr/lib/ruby/1.8/net/http.rb:586:in `connect'' > > > from /usr/lib/ruby/1.8/net/http.rb:553:in `do_start'' > > > from /usr/lib/ruby/1.8/net/http.rb:548:in `start'' > > > from > /usr/lib/ruby/1.8/puppet/network/xmlrpc/client.rb:173:in > > > ''start'' > > > from /usr/lib/ruby/1.8/puppet/network/client.rb:93:in > > > `initialize'' > > > from/usr/lib/ruby/1.8/puppet/network/client/runner.rb:9:in> > > `initialize'' > > > from /usr/sbin/puppetrun:347:in `new'' > > > from /usr/sbin/puppetrun:347 > > > from /usr/sbin/puppetrun:339:in `fork'' > > > from /usr/sbin/puppetrun:339 > > > planevm1 finished with exit code 1 > > > Failed: planevm1 > > > [...] > > > I know I need to run this as root. Any ideas on what is wrong? > > > > Is there any chance puppetrun isn''t finding the configuration file > > you''re using for the rest of your executables? That is, are you > > still using something like puppetd.conf with special ssldirsettings,> > rather than puppet.conf? > > > > If you run both puppetrun and puppetmasterd as root with ''-- > > configprint ssldir'', do you get the same values? > > > --------------------------------------------------------------------- > > Luke Kanies | http://reductivelabs.com | http://madstop.com > > That''s it, now I just need to figure out why. > > Puppetmasterd returns "/var/lib/puppet/ssl" > Puppetrun just says "Finished" > > But when I run "puppetrun --debug --host planevm1", I get: > debug: Parsing /etc/puppet/puppet.conf > which is the same file that puppetmasterd & puppetd are using. So it > should have the same information. The file does set ssldir. >I''m beginning to think that there is something else wrong. With puppetun, I can use --configprint to ask for any variable, but it doesn''t respond to anything even if I set the variable on the command line. If I set ssldir on the command line, debug shows that is overriding the config file, but it doesn''t change any of the error messages. Thanks, Steven
Luke Kanies
2007-Nov-28 20:22 UTC
Re: puppetrun failing: "connect'': tlsv1 alertunknown ca"
On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote:> I''m beginning to think that there is something else wrong. With > puppetun, I can use --configprint to ask for any variable, but it > doesn''t respond to anything even if I set the variable on the command > line. If I set ssldir on the command line, debug shows that is > overriding the config file, but it doesn''t change any of the error > messages.Having just looked at puppetrun, it apparently doesn''t respond to configprint. The main thing is knowing that they''re pulling from the same config file. Hopefully someone else with it working can help you resolve it...? I''m kinda slammed trying to get this release out. -- The easiest way for your children to learn about money is for you not to have any. -- Katharine Whitehorn --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com
Steven Nemetz
2007-Nov-28 21:11 UTC
Re: puppetrun failing: "connect'': tlsv1 alertunknownca"
> -----Original Message----- > From: puppet-users-bounces@madstop.com [mailto:puppet-users- > bounces@madstop.com] On Behalf Of Luke Kanies > Sent: Wednesday, November 28, 2007 12:22 PM > To: Puppet User Discussion > Subject: Re: [Puppet-users] puppetrun failing: "connect'': tlsv1 > alertunknownca" > > On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote: > > > I''m beginning to think that there is something else wrong. With > > puppetun, I can use --configprint to ask for any variable, but it > > doesn''t respond to anything even if I set the variable on thecommand> > line. If I set ssldir on the command line, debug shows that is > > overriding the config file, but it doesn''t change any of the error > > messages. > > Having just looked at puppetrun, it apparently doesn''t respond to > configprint. > > The main thing is knowing that they''re pulling from the same config > file. > > Hopefully someone else with it working can help you resolve it...? > > I''m kinda slammed trying to get this release out. > > -- > The easiest way for your children to learn about money is for you > not to have any. -- Katharine Whitehorn >---------------------------------------------------------------------> Luke Kanies | http://reductivelabs.com | http://madstop.com >Thanks for looking at it. I understand you''re busy. A little more info that might give someone an idea. On the puppetmaster, I also have puppetd running. If I use puppetrun to trigger the local puppetd, it works. I just get the errors when I try to trigger a remote client. Thanks, Steven
Brian Finney
2007-Nov-29 01:54 UTC
Re: puppetrun failing: "connect'': tlsv1 alertunknownca"
On my systems when I do: strace puppetrun 2>&1 | egrep ''^open'' | tail The config file is the last file to be opened by puppetrun, that will tell you for sure which config file is being used. I get: open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb", O_RDONLY) = 3 open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb", O_RDONLY) = 3 open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/scope.rb", O_RDONLY) = 3 open("/usr/lib/ruby/site_ruby/1.8/puppet/network/client.rb", O_RDONLY) = 3 open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3 open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3 open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 3 open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5 open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5 open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 5 Thanks Brian On Nov 28, 2007 1:11 PM, Steven Nemetz <snemetz@proofpoint.com> wrote:> > > > -----Original Message----- > > From: puppet-users-bounces@madstop.com [mailto:puppet-users- > > bounces@madstop.com] On Behalf Of Luke Kanies > > Sent: Wednesday, November 28, 2007 12:22 PM > > To: Puppet User Discussion > > Subject: Re: [Puppet-users] puppetrun failing: "connect'': tlsv1 > > alertunknownca" > > > > On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote: > > > > > I''m beginning to think that there is something else wrong. With > > > puppetun, I can use --configprint to ask for any variable, but it > > > doesn''t respond to anything even if I set the variable on the > command > > > line. If I set ssldir on the command line, debug shows that is > > > overriding the config file, but it doesn''t change any of the error > > > messages. > > > > Having just looked at puppetrun, it apparently doesn''t respond to > > configprint. > > > > The main thing is knowing that they''re pulling from the same config > > file. > > > > Hopefully someone else with it working can help you resolve it...? > > > > I''m kinda slammed trying to get this release out. > > > > -- > > The easiest way for your children to learn about money is for you > > not to have any. -- Katharine Whitehorn > > > --------------------------------------------------------------------- > > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > > Thanks for looking at it. I understand you''re busy. > > A little more info that might give someone an idea. > On the puppetmaster, I also have puppetd running. If I use puppetrun to > trigger the local puppetd, it works. I just get the errors when I try to > trigger a remote client. > > Thanks, > Steven > > _______________________________________________ > Puppet-users mailing list > Puppet-users@madstop.com > https://mail.madstop.com/mailman/listinfo/puppet-users >
Steven Nemetz
2007-Nov-29 17:09 UTC
Re: puppetrun failing: "connect'': tlsv1alertunknownca"
It is definitely using the correct config file /etc/puppet/puppet.conf The only real different between our strace results, Is that your''s opened the config file twice, where mine only opened it once. But that could just be different versions of puppet. I''m using 0.23.2 Thanks, Steven> -----Original Message----- > From: puppet-users-bounces@madstop.com [mailto:puppet-users- > bounces@madstop.com] On Behalf Of Brian Finney > Sent: Wednesday, November 28, 2007 5:54 PM > To: Puppet User Discussion > Subject: Re: [Puppet-users] puppetrun failing: "connect'': > tlsv1alertunknownca" > > On my systems when I do: > > strace puppetrun 2>&1 | egrep ''^open'' | tail > > The config file is the last file to be opened by puppetrun, that will > tell you for sure which config file is being used. > > I get: > >open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",> O_RDONLY) = 3 >open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/resource/reference.rb",> O_RDONLY) = 3 > open("/usr/lib/ruby/site_ruby/1.8/puppet/parser/scope.rb", O_RDONLY) 3 > open("/usr/lib/ruby/site_ruby/1.8/puppet/network/client.rb", O_RDONLY)= 3> open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3 > open("/usr/lib/ruby/1.8/getoptlong.rb", O_RDONLY) = 3 > open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 3 > open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5 > open("/usr/lib64/ruby/1.8/x86_64-linux/fcntl.so", O_RDONLY) = 5 > open("/etc/puppet/puppetmasterd.conf", O_RDONLY) = 5 > > Thanks > Brian > > On Nov 28, 2007 1:11 PM, Steven Nemetz <snemetz@proofpoint.com> wrote: > > > > > > > -----Original Message----- > > > From: puppet-users-bounces@madstop.com [mailto:puppet-users- > > > bounces@madstop.com] On Behalf Of Luke Kanies > > > Sent: Wednesday, November 28, 2007 12:22 PM > > > To: Puppet User Discussion > > > Subject: Re: [Puppet-users] puppetrun failing: "connect'': tlsv1 > > > alertunknownca" > > > > > > On Nov 28, 2007, at 2:13 PM, Steven Nemetz wrote: > > > > > > > I''m beginning to think that there is something else wrong. With > > > > puppetun, I can use --configprint to ask for any variable, butit> > > > doesn''t respond to anything even if I set the variable on the > > command > > > > line. If I set ssldir on the command line, debug shows that is > > > > overriding the config file, but it doesn''t change any of theerror> > > > messages. > > > > > > Having just looked at puppetrun, it apparently doesn''t respond to > > > configprint. > > > > > > The main thing is knowing that they''re pulling from the sameconfig> > > file. > > > > > > Hopefully someone else with it working can help you resolve it...? > > > > > > I''m kinda slammed trying to get this release out. > > > > > > -- > > > The easiest way for your children to learn about money is foryou> > > not to have any. -- Katharine Whitehorn > > > > >---------------------------------------------------------------------> > > Luke Kanies | http://reductivelabs.com | http://madstop.com > > > > > > > Thanks for looking at it. I understand you''re busy. > > > > A little more info that might give someone an idea. > > On the puppetmaster, I also have puppetd running. If I use puppetrunto> > trigger the local puppetd, it works. I just get the errors when Itry to> > trigger a remote client. > > > > Thanks, > > Steven > >