Juri Rischel Jensen
2008-May-20 19:42 UTC
[Puppet Users] After the Debian OpenSSL update...
Hi all, After updating my Puppet certificates several times, first by hand and then by using the capistrano script Adam Jacob has provided on the wiki, I''m banging my head against a problem I just can''t seem to solve myself. My puppetmaster (puppet.mydomain.com) is also maintained by puppetd, and after the upgrade, puppetd on the puppetmaster can''t talk to puppetmasterd - I get the following error: err: /File[/var/lib/puppet/facts]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error I haven''t had any problems before with puppetd and puppetmasterd - it just worked. And I can''t figure out why it''s failing now. Can anybody shed some light on how the puppet certificate structure is layed out? -- Med venlig hilsen Juri Rischel Jensen Fab:IT ApS Vesterbrogade 50 DK-1620 København Tlf: +45 70 202 407 www.fab-it.dk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Kevin Stevenard [IT]
2008-May-21 08:20 UTC
[Puppet Users] Re: After the Debian OpenSSL update...
Try to test by adding "--certname puppet.mydomain.com" to your puppetmasterd command line parameters. Kevin STEVENARD System & network Administrator LinkInTime ... Get Mobile ))) www.linkintime.com Mobile: (00967) 712 000 838 Office: (00967) 1 427 377 Fax : (00967) 1 428 851 LinkInTime Ltd. Iran Street Haddah - Sana''a - P.O.Box. 16871, YEMEN ----- Original Message ----- From: "Juri Rischel Jensen" <juri@fab-it.dk> To: puppet-users@googlegroups.com Sent: Tuesday, May 20, 2008 10:42:40 PM GMT +03:00 Kuwait / Riyadh Subject: [Puppet Users] After the Debian OpenSSL update... Hi all, After updating my Puppet certificates several times, first by hand and then by using the capistrano script Adam Jacob has provided on the wiki, I''m banging my head against a problem I just can''t seem to solve myself. My puppetmaster (puppet.mydomain.com) is also maintained by puppetd, and after the upgrade, puppetd on the puppetmaster can''t talk to puppetmasterd - I get the following error: err: /File[/var/lib/puppet/facts]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error I haven''t had any problems before with puppetd and puppetmasterd - it just worked. And I can''t figure out why it''s failing now. Can anybody shed some light on how the puppet certificate structure is layed out? -- Med venlig hilsen Juri Rischel Jensen Fab:IT ApS Vesterbrogade 50 DK-1620 København Tlf: +45 70 202 407 www.fab-it.dk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Juri Rischel Jensen
2008-May-21 08:43 UTC
[Puppet Users] Re: After the Debian OpenSSL update...
Hi Kevin On 21/05/2008, at 10:20, Kevin Stevenard [IT] wrote:> Try to test by adding "--certname puppet.mydomain.com" to your > puppetmasterd command line parameters.Thanks for the reply! It''s puppetd that''s complaining - puppetmasterd is running fine. Adding the above parameter to the puppetd command line doesn''t help :-( : puppetd --onetime --debug --ignorecache --no-daemonize --server puppet.mydomain.com --certname \ puppet.mydomain.com err: /File[/var/lib/puppet/facts]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error It seems like puppetmasterd doesn''t like to talk to a client that presents itself with a certificate that''s identical with it''s own... -- Med venlig hilsen Juri Rischel Jensen Fab:IT ApS Vesterbrogade 50 DK-1620 København Tlf: +45 70 202 407 www.fab-it.dk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Kevin Stevenard [IT]
2008-May-21 09:02 UTC
[Puppet Users] Re: After the Debian OpenSSL update...
Yes I know that the problem seems to appear on the client side, but use the --certname parameter on the puppetmaster side. By the way are you using mongrel or webrick, because I already face this problem one time, it was working fine with webrick but not with mongrel (mongrel+nginx). and after setting --certname puppet.mydomain.com on all puppetmaster it was working fine with mongrel. In addition I think that if the problem was on the client certificate the puppetmaster server will print some logs to tell you to clean the certificate of the client side. Kevin STEVENARD System & network Administrator LinkInTime ... Get Mobile ))) www.linkintime.com Mobile: (00967) 712 000 838 Office: (00967) 1 427 377 Fax : (00967) 1 428 851 LinkInTime Ltd. Iran Street Haddah - Sana''a - P.O.Box. 16871, YEMEN ----- Original Message ----- From: "Juri Rischel Jensen" <juri@fab-it.dk> To: puppet-users@googlegroups.com Sent: Wednesday, May 21, 2008 11:43:27 AM GMT +03:00 Kuwait / Riyadh Subject: [Puppet Users] Re: After the Debian OpenSSL update... Hi Kevin On 21/05/2008, at 10:20, Kevin Stevenard [IT] wrote:> Try to test by adding "--certname puppet.mydomain.com" to your > puppetmasterd command line parameters.Thanks for the reply! It''s puppetd that''s complaining - puppetmasterd is running fine. Adding the above parameter to the puppetd command line doesn''t help :-( : puppetd --onetime --debug --ignorecache --no-daemonize --server puppet.mydomain.com --certname \ puppet.mydomain.com err: /File[/var/lib/puppet/facts]: Failed to generate additional resources during transaction: Certificates were not trusted: tlsv1 alert decrypt error It seems like puppetmasterd doesn''t like to talk to a client that presents itself with a certificate that''s identical with it''s own... -- Med venlig hilsen Juri Rischel Jensen Fab:IT ApS Vesterbrogade 50 DK-1620 København Tlf: +45 70 202 407 www.fab-it.dk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Juri Rischel Jensen
2008-May-21 10:08 UTC
[Puppet Users] Re: After the Debian OpenSSL update...
Hi Kevin On 21/05/2008, at 11:02, Kevin Stevenard [IT] wrote:> Yes I know that the problem seems to appear on the client side, but > use the --certname parameter on the puppetmaster side. By the way > are you using mongrel or webrick, because I already face this > problem one time, it was working fine with webrick but not with > mongrel (mongrel+nginx). and after setting --certname > puppet.mydomain.com on all puppetmaster it was working fine with > mongrel. > > In addition I think that if the problem was on the client > certificate the puppetmaster server will print some logs to tell you > to clean the certificate of the client side.Unfortunately, it doesn''t work :-( (and yes, I am using Mongrel+Apache2). -- Med venlig hilsen Juri Rischel Jensen Fab:IT ApS Vesterbrogade 50 DK-1620 København Tlf: +45 70 202 407 www.fab-it.dk --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users-unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---