Puppet users - May 2008 - After the Debian OpenSSL update...

Hi all,

After updating my Puppet certificates several times, first by hand and  
then by using the capistrano script Adam Jacob has provided on the  
wiki, I''m banging my head against a problem I just can''t seem
to solve
myself.

My puppetmaster (puppet.mydomain.com) is also maintained by puppetd,  
and after the upgrade, puppetd on the puppetmaster can''t talk to  
puppetmasterd - I get the following error:

err: /File[/var/lib/puppet/facts]: Failed to generate additional  
resources during transaction: Certificates were not trusted: tlsv1  
alert decrypt error

I haven''t had any problems before with puppetd and puppetmasterd - it  
just worked. And I can''t figure out why it''s failing now. Can
anybody
shed some light on how the puppet certificate structure is layed out?


--
Med venlig hilsen
Juri Rischel Jensen

Fab:IT ApS
Vesterbrogade 50
DK-1620 København
Tlf: +45 70 202 407
www.fab-it.dk


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Try to test by adding "--certname puppet.mydomain.com" to your
puppetmasterd command line parameters.

Kevin STEVENARD 
System & network Administrator 
LinkInTime 
... Get Mobile ))) 

www.linkintime.com 

Mobile: (00967) 712 000 838 
Office: (00967) 1 427 377 
Fax : (00967) 1 428 851 

LinkInTime Ltd. 
Iran Street 
Haddah - Sana''a - P.O.Box. 16871, YEMEN 

----- Original Message ----- 
From: "Juri Rischel Jensen" <juri@fab-it.dk> 
To: puppet-users@googlegroups.com 
Sent: Tuesday, May 20, 2008 10:42:40 PM GMT +03:00 Kuwait / Riyadh 
Subject: [Puppet Users] After the Debian OpenSSL update... 


Hi all, 

After updating my Puppet certificates several times, first by hand and 
then by using the capistrano script Adam Jacob has provided on the 
wiki, I''m banging my head against a problem I just can''t seem
to solve
myself. 

My puppetmaster (puppet.mydomain.com) is also maintained by puppetd, 
and after the upgrade, puppetd on the puppetmaster can''t talk to 
puppetmasterd - I get the following error: 

err: /File[/var/lib/puppet/facts]: Failed to generate additional 
resources during transaction: Certificates were not trusted: tlsv1 
alert decrypt error 

I haven''t had any problems before with puppetd and puppetmasterd - it 
just worked. And I can''t figure out why it''s failing now. Can
anybody
shed some light on how the puppet certificate structure is layed out? 


-- 
Med venlig hilsen 
Juri Rischel Jensen 

Fab:IT ApS 
Vesterbrogade 50 
DK-1620 København 
Tlf: +45 70 202 407 
www.fab-it.dk 





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Kevin

On 21/05/2008, at 10:20, Kevin Stevenard [IT] wrote:
> Try to test by adding "--certname puppet.mydomain.com" to your  
> puppetmasterd command line parameters.
Thanks for the reply! It''s puppetd that''s complaining -
puppetmasterd
is running fine. Adding the above parameter to the puppetd command  
line doesn''t help :-( :

  puppetd --onetime --debug --ignorecache --no-daemonize --server  
puppet.mydomain.com --certname \
  puppet.mydomain.com

  err: /File[/var/lib/puppet/facts]: Failed to generate additional  
resources during transaction:
  Certificates were not trusted: tlsv1 alert decrypt error

It seems like puppetmasterd doesn''t like to talk to a client that  
presents itself with a certificate that''s identical with it''s
own...



--
Med venlig hilsen
Juri Rischel Jensen

Fab:IT ApS
Vesterbrogade 50
DK-1620 København
Tlf: +45 70 202 407
www.fab-it.dk


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Yes I know that the problem seems to appear on the client side, but use the
--certname parameter on the puppetmaster side. By the way are you using mongrel
or webrick, because I already face this problem one time, it was working fine
with webrick but not with mongrel (mongrel+nginx). and after setting --certname
puppet.mydomain.com on all puppetmaster it was working fine with mongrel.

In addition I think that if the problem was on the client certificate the
puppetmaster server will print some logs to tell you to clean the certificate of
the client side.

Kevin STEVENARD 
System & network Administrator 
LinkInTime 
... Get Mobile ))) 

www.linkintime.com 

Mobile: (00967) 712 000 838 
Office: (00967) 1 427 377 
Fax : (00967) 1 428 851 

LinkInTime Ltd. 
Iran Street 
Haddah - Sana''a - P.O.Box. 16871, YEMEN 

----- Original Message ----- 
From: "Juri Rischel Jensen" <juri@fab-it.dk> 
To: puppet-users@googlegroups.com 
Sent: Wednesday, May 21, 2008 11:43:27 AM GMT +03:00 Kuwait / Riyadh 
Subject: [Puppet Users] Re: After the Debian OpenSSL update... 


Hi Kevin 

On 21/05/2008, at 10:20, Kevin Stevenard [IT] wrote: 
> Try to test by adding "--certname puppet.mydomain.com" to your 
> puppetmasterd command line parameters. 
Thanks for the reply! It''s puppetd that''s complaining -
puppetmasterd
is running fine. Adding the above parameter to the puppetd command 
line doesn''t help :-( : 

puppetd --onetime --debug --ignorecache --no-daemonize --server 
puppet.mydomain.com --certname \ 
puppet.mydomain.com 

err: /File[/var/lib/puppet/facts]: Failed to generate additional 
resources during transaction: 
Certificates were not trusted: tlsv1 alert decrypt error 

It seems like puppetmasterd doesn''t like to talk to a client that 
presents itself with a certificate that''s identical with it''s
own...



-- 
Med venlig hilsen 
Juri Rischel Jensen 

Fab:IT ApS 
Vesterbrogade 50 
DK-1620 København 
Tlf: +45 70 202 407 
www.fab-it.dk 





--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Hi Kevin

On 21/05/2008, at 11:02, Kevin Stevenard [IT] wrote:
> Yes I know that the problem seems to appear on the client side, but  
> use the --certname parameter on the puppetmaster side. By the way  
> are you using mongrel or webrick, because I already face this  
> problem one time, it was working fine with webrick but not with  
> mongrel (mongrel+nginx). and after setting --certname  
> puppet.mydomain.com on all puppetmaster it was working fine with  
> mongrel.
>
> In addition I think that if the problem was on the client  
> certificate the puppetmaster server will print some logs to tell you  
> to clean the certificate of the client side.
Unfortunately, it doesn''t work :-(

(and yes, I am using Mongrel+Apache2).

--
Med venlig hilsen
Juri Rischel Jensen

Fab:IT ApS
Vesterbrogade 50
DK-1620 København
Tlf: +45 70 202 407
www.fab-it.dk


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users-unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---