Hi, I''ve been cleaning some nodes from my server (puppetca --clean) and I wanted to see how many I had under /etc/puppet/ssl/ca/signed/. I had a surprise when I noticed that I had less there than in my pbs, so I looked for the missing ones... One of them is td242, at the beginning I thought the node was miss-configured, but not, and also, it can run puppet client normally: # /usr/bin/ruby /usr/sbin/puppetd --server=gridinstall.pic.es --test info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run notice: /:main/Node[td242.pic.es]/worker-node/local_conf/Cron[ganglia]/ensure: created notice: /:main/Node[td242.pic.es]/worker-node/local_conf/Cron[puppet]/ensure: created info: Sent transaction report in 1.94 seconds notice: Finished catalog run in 83.60 seconds (yes, it''s adding a new cron, expected) but from server: [root@gridinstall manifests]# ls -lsa /etc/puppet/ssl/ca/signed/|grep td242 [root@gridinstall manifests]# and it''s under autosign: # grep td242 * autosign.conf:td242.pic.es server logs say a lot about this node: # grep -c td242 /var/log/puppet/puppetmaster.log 1351 nothing really new. So, why isn''t this node cert under signed dir? TIA, Arnau --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 17, 2009, at 10:05 AM, Arnau Bria wrote:> > Hi, > > I''ve been cleaning some nodes from my server (puppetca --clean) and I > wanted to see how many I had under /etc/puppet/ssl/ca/signed/. > I had a surprise when I noticed that I had less there than in my pbs, > so I looked for the missing ones... > > One of them is td242, at the beginning I thought the node was > miss-configured, but not, and also, it can run puppet client normally: > > # /usr/bin/ruby /usr/sbin/puppetd --server=gridinstall.pic.es --test > info: Caching catalog at /var/lib/puppet/localconfig.yaml > notice: Starting catalog run > notice: /:main/Node[td242.pic.es]/worker-node/local_conf/ > Cron[ganglia]/ensure: created > notice: /:main/Node[td242.pic.es]/worker-node/local_conf/ > Cron[puppet]/ensure: created > info: Sent transaction report in 1.94 seconds > notice: Finished catalog run in 83.60 seconds > > (yes, it''s adding a new cron, expected) > > but from server: > > [root@gridinstall manifests]# ls -lsa /etc/puppet/ssl/ca/signed/| > grep td242 > [root@gridinstall manifests]# > > and it''s under autosign: > # grep td242 * > autosign.conf:td242.pic.es > > > server logs say a lot about this node: > # grep -c td242 /var/log/puppet/puppetmaster.log > 1351 > > nothing really new. > > So, why isn''t this node cert under signed dir?I can''t tell you why it''s not under that dir, but I can tell you that its presence or absence has no affect on authentication. Authentication is all about the matching CA cert, not whether the server has a copy of the client''s certificate. -- A bore is a man who deprives you of solitude without providing you with company. -- Gian Vincenzo Gravina --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Thu, 19 Mar 2009 17:12:02 -0500 Luke Kanies wrote: Hi Luke,> > So, why isn''t this node cert under signed dir? > > I can''t tell you why it''s not under that dir, but I can tell you > that its presence or absence has no affect on authentication. > Authentication is all about the matching CA cert, not whether the > server has a copy of the client''s certificate.Ok, thanks for your reply. Cheers, Arnau --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---