Hello to All, I''ve setup 5 centos hosts that all work fine but after signing my debian client request I get Certificate validation failed; consider using the certname configuration option on the debian client. Never seen this error message before. Several times i''ve rm -rf /etc/puppet/ssl to force it to issue a new certificate request, which the puppetmaster sees ans signs no problem. But that signed cert just dosen''t work for the client. /var/log/syslog on debian client. Mar 28 00:41:46 puppetd[25663]: Reopening log files Mar 28 00:41:46 puppetd[25663]: Creating a new certificate request for host Mar 28 00:41:46 puppetd[25663]: Creating a new SSL key at /etc/puppet/ ssl/private_keys/host.pem Mar 28 00:41:46 puppetd[25663]: Did not receive certificate Mar 28 00:43:46 puppetd[25663]: Got signed certificate Mar 28 00:43:46 puppetd[25663]: Starting Puppet client version 0.24.7 Mar 28 00:43:49 puppetd[25663]: Caching catalog at /var/lib/puppet/ state/localconfig.yaml Mar 28 00:43:49 puppetd[25663]: Starting catalog run Mar 28 00:43:49 puppetd[25663]: Certificate validation failed; consider using the certname configuration option this puppet was installed by : apt-get install puppet/experimental how /etc/hosts has an entry puppet_master_ip puppet however this is not the name that is in /etc/puppet/puppet.conf server=FQDN_of_puppet_master however my other centos clients have no problems with this. Could this be a nsswith.conf issue? Both debian and centos have host files dns I dont want to change the [puppetmasterd] certname as suggest in error message since that would break my other clients, as I understand it. Any assistance is appreciated. Thanks --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
The only time I see these errors is when the date on my client is screwed up. Sorry if that doesn''t help. -Jason On Mar 27, 2009, at 5:57 PM, Trevor <mailtrevhere@gmail.com> wrote:> > Hello to All, > > > I''ve setup 5 centos hosts that all work fine but after signing my > debian client request I get > > > Certificate validation failed; consider using the certname > configuration option > > on the debian client. Never seen this error message before. Several > times i''ve rm -rf /etc/puppet/ssl to force it to issue a new > certificate request, which the puppetmaster sees ans signs no > problem. But that signed cert just dosen''t work for the client. > > /var/log/syslog on debian client. > > > Mar 28 00:41:46 puppetd[25663]: Reopening log files > Mar 28 00:41:46 puppetd[25663]: Creating a new certificate request > for host > Mar 28 00:41:46 puppetd[25663]: Creating a new SSL key at /etc/ > puppet/ > ssl/private_keys/host.pem > Mar 28 00:41:46 puppetd[25663]: Did not receive certificate > > Mar 28 00:43:46 puppetd[25663]: Got signed certificate > Mar 28 00:43:46 puppetd[25663]: Starting Puppet client version 0.24.7 > Mar 28 00:43:49 puppetd[25663]: Caching catalog at /var/lib/puppet/ > state/localconfig.yaml > Mar 28 00:43:49 puppetd[25663]: Starting catalog run > Mar 28 00:43:49 puppetd[25663]: Certificate validation failed; > consider using the certname configuration option > > this puppet was installed by : apt-get install puppet/experimental > > how /etc/hosts has an entry > > puppet_master_ip puppet > > however this is not the name that is in /etc/puppet/puppet.conf > > server=FQDN_of_puppet_master > > however my other centos clients have no problems with this. Could > this be a nsswith.conf issue? Both debian and centos have > > host files dns > > I dont want to change the > > [puppetmasterd] > certname > > as suggest in error message since that would break my other clients, > as I understand it. > > Any assistance is appreciated. > > Thanks > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
as it turns out the timzones were different. However , now in /var/log/syslog I get Mar 31 18:39:56 debain_client_host puppetd[19020]: Calling puppetca.getcert Mar 31 18:39:57 debian_client_host puppetd[19020]: Could not request certificate: Certificate retrieval failed: Certificate request does not match existing certificate; run ''puppetca --clean debian_client_host''. I have cleaned the cert on the puppetmasterd and removed the /etc/puppet/ssl directory on the client several times but still get this error. --debug is on but it does not tell me how the certificate is not matching. Appreciate any assistance, Trevor On Fri, Mar 27, 2009 at 7:53 PM, Jason Rojas <jason@nothingbeatsaduck.com>wrote:> > The only time I see these errors is when the date on my client is > screwed up. Sorry if that doesn''t help. > > -Jason > > On Mar 27, 2009, at 5:57 PM, Trevor <mailtrevhere@gmail.com> wrote: > > > > > Hello to All, > > > > > > I''ve setup 5 centos hosts that all work fine but after signing my > > debian client request I get > > > > > > Certificate validation failed; consider using the certname > > configuration option > > > > on the debian client. Never seen this error message before. Several > > times i''ve rm -rf /etc/puppet/ssl to force it to issue a new > > certificate request, which the puppetmaster sees ans signs no > > problem. But that signed cert just dosen''t work for the client. > > > > /var/log/syslog on debian client. > > > > > > Mar 28 00:41:46 puppetd[25663]: Reopening log files > > Mar 28 00:41:46 puppetd[25663]: Creating a new certificate request > > for host > > Mar 28 00:41:46 puppetd[25663]: Creating a new SSL key at /etc/ > > puppet/ > > ssl/private_keys/host.pem > > Mar 28 00:41:46 puppetd[25663]: Did not receive certificate > > > > Mar 28 00:43:46 puppetd[25663]: Got signed certificate > > Mar 28 00:43:46 puppetd[25663]: Starting Puppet client version 0.24.7 > > Mar 28 00:43:49 puppetd[25663]: Caching catalog at /var/lib/puppet/ > > state/localconfig.yaml > > Mar 28 00:43:49 puppetd[25663]: Starting catalog run > > Mar 28 00:43:49 puppetd[25663]: Certificate validation failed; > > consider using the certname configuration option > > > > this puppet was installed by : apt-get install puppet/experimental > > > > how /etc/hosts has an entry > > > > puppet_master_ip puppet > > > > however this is not the name that is in /etc/puppet/puppet.conf > > > > server=FQDN_of_puppet_master > > > > however my other centos clients have no problems with this. Could > > this be a nsswith.conf issue? Both debian and centos have > > > > host files dns > > > > I dont want to change the > > > > [puppetmasterd] > > certname > > > > as suggest in error message since that would break my other clients, > > as I understand it. > > > > Any assistance is appreciated. > > > > Thanks > > > > > > > > > > >--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Mar 31, 1:43 pm, Trevor Price <mailtrevh...@gmail.com> wrote:> as it turns out the timzones were different. However , now in > /var/log/syslog I get > Mar 31 18:39:56 debain_client_host puppetd[19020]: Calling puppetca.getcert > Mar 31 18:39:57 debian_client_host puppetd[19020]: Could not request > certificate: Certificate retrieval failed: Certificate request does not > match existing certificate; run ''puppetca --clean debian_client_host''. > > I have cleaned the cert on the puppetmasterd and removed the /etc/puppet/ssl > directory on the client several times but still get this error. --debug is > on but it does not tell me how the certificate is not matching.I saw something similar when I tried to preseed the installation of puppet using "d-i pkgsel/include string puppet" The preseed installation used different directory paths than the "apt- get install puppet" installs I had done previously. When my centralized puppet.conf file would get written to the client, the next run through consistently produced a bunch of 500 errors as the certificates no longer matched. So you might check that your certs are where you think they should be. Maybe with "puppetd --genconfig" ? --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
James Turnbull
2009-Apr-01 21:35 UTC
[Puppet Users] Re: certificate signing error on debian
Scott Frazer wrote:> On Mar 31, 1:43 pm, Trevor Price <mailtrevh...@gmail.com> wrote: >> as it turns out the timzones were different. However , now in >> /var/log/syslog I get >> Mar 31 18:39:56 debain_client_host puppetd[19020]: Calling puppetca.getcert >> Mar 31 18:39:57 debian_client_host puppetd[19020]: Could not request >> certificate: Certificate retrieval failed: Certificate request does not >> match existing certificate; run ''puppetca --clean debian_client_host''. >>Have you tried the certname option? Regards James Turnbull -- Author of: * Pro Linux Systems Administration (http://www.amazon.com/gp/product/1430219122/) * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
James Turnbull
2009-Apr-01 21:37 UTC
[Puppet Users] Re: certificate signing error on debian
Scott Frazer wrote:> I saw something similar when I tried to preseed the installation of > puppet using "d-i pkgsel/include string puppet" > > The preseed installation used different directory paths than the "apt- > get install puppet" installs I had done previously. When my > centralized puppet.conf file would get written to the client, the next > run through consistently produced a bunch of 500 errors as the > certificates no longer matched. So you might check that your certs > are where you think they should be. Maybe with "puppetd --genconfig" ?Whilst I am not preseed best friend I don''t see how this is possible. Why would preseed do installation any differently? d-i pkgsel/include should use Debian standard package tool - in this case aptitude - to install. Regards James Turnbull -- Author of: * Pro Linux Systems Administration (http://www.amazon.com/gp/product/1430219122/) * Pulling Strings with Puppet (http://www.amazon.com/gp/product/1590599780/) * Pro Nagios 2.0 (http://www.amazon.com/gp/product/1590596099/) * Hardening Linux (http://www.amazon.com/gp/product/1590594444/)
On Apr 1, 4:37 pm, James Turnbull <ja...@lovedthanlost.net> wrote:> Scott Frazer wrote: > > I saw something similar when I tried to preseed the installation of > > puppet using "d-i pkgsel/include string puppet" > > > The preseed installation used different directory paths than the "apt- > > get install puppet" installs I had done previously. When my > > centralized puppet.conf file would get written to the client, the next > > run through consistently produced a bunch of 500 errors as the > > certificates no longer matched. So you might check that your certs > > are where you think they should be. Maybe with "puppetd --genconfig" ? > > Whilst I am not preseed best friend I don''t see how this is possible. > > Why would preseed do installation any differently? d-i pkgsel/include > should use Debian standard package tool - in this case aptitude - to > install.I''d love to know myself. All I know is that I spent a weekend trying to figure out why my new installs were constantly generating 500 messages. Then I discovered that Ubuntu also broke apt-get in such a way as to prevent it from doing an install on first boot through an init.d script. For now, I''ve got a manual process in setting up the puppet client software, but then everything else gets set up for me, so it''s still a time saver. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On 4/1/2009 5:26 PM, Scott Frazer wrote:> On Apr 1, 4:37 pm, James Turnbull <ja...@lovedthanlost.net> wrote: >> Why would preseed do installation any differently? d-i pkgsel/include >> should use Debian standard package tool - in this case aptitude - to >> install. > > I''d love to know myself. All I know is that I spent a weekend trying > to figure out why my new installs were constantly generating 500 > messages. Then I discovered that Ubuntu also broke apt-get in such a > way as to prevent it from doing an install on first boot through an > init.d script. > > For now, I''ve got a manual process in setting up the puppet client > software, but then everything else gets set up for me, so it''s still a > time saver.I don''t have a recent Ubuntu preseed setup, but here''s what I ended up with for preseeding a newer Puppet onto Debian etch on Feb. 23 (lines may break badly -- each d-i entry should be a single line). # Add openssh-server plus newer puppet dependencies d-i pkgsel/include string openssh-server ruby libxmlrpc-ruby libopenssl-ruby adduser lsb-base lsb-release libshadow-ruby1.8 # Grab facter and puppet packages and settings, install local # repository key, toggle bootable flags on Windows and root # partitions, and save installation log to newly-installed drive. d-i preseed/late_command string wget -O /target/root/facter_1.5.1-0.1_all.deb http://ftp.cae.tntech.edu/REDACTED/facter_1.5.1-0.1_all.deb ; wget -O /target/root/puppet_0.24.6-1_all.deb http://ftp.cae.tntech.edu/REDACTED/puppet_0.24.6-1_all.deb ; in-target dpkg --force-confold -i /root/facter_1.5.1-0.1_all.deb /root/puppet_0.24.6-1_all.deb ; wget -O /target/etc/puppet/puppet.conf http://ftp.cae.tntech.edu/REDACTED/puppet.conf ; wget -O /target/root/caeftp_key.asc http://ftp.cae.tntech.edu/REDACTED/caeftp_key.asc ; in-target apt-key add /root/caeftp_key.asc ; echo -e ''a\n1\na\n2\nw\n'' | fdisk /dev/sda || true; cp /var/log/syslog /target/root -- Mike Renfro / R&D Engineer, Center for Manufacturing Research, 931 372-3601 / Tennessee Technological University --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
as I understand it certname is a puppetmasterd change. Doing so would break the existing dozen centos clients that are working fine. The client side server=FQDN_of_puppet_master and the puppetmaster thinks its name is its FQDN now the puppet clients all have /etc/hosts entries for ip_of_puppetmaster puppet so that "puppet" can be used in the manifests to specify fileserver. Don''t want to hardcode specific hostnames here in the manifests. Unfortunately I am in a hosted situation and do not control dns. Just /etc/hosts. On Apr 1, 2:35 pm, James Turnbull <ja...@lovedthanlost.net> wrote:> Scott Frazer wrote: > > On Mar 31, 1:43 pm, Trevor Price <mailtrevh...@gmail.com> wrote: > >> as it turns out the timzones were different. However , now in > >> /var/log/syslog I get > >> Mar 31 18:39:56 debain_client_host puppetd[19020]: Calling puppetca.getcert > >> Mar 31 18:39:57 debian_client_host puppetd[19020]: Could not request > >> certificate: Certificate retrieval failed: Certificate request does not > >> match existing certificate; run ''puppetca --clean debian_client_host''. > > Have you tried the certname option? > > Regards > > James Turnbull > > -- > Author of: > * Pro Linux Systems Administration > (http://www.amazon.com/gp/product/1430219122/) > * Pulling Strings with Puppet > (http://www.amazon.com/gp/product/1590599780/) > * Pro Nagios 2.0 > (http://www.amazon.com/gp/product/1590596099/) > * Hardening Linux > (http://www.amazon.com/gp/product/1590594444/) > > signature.asc > < 1KViewDownload--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
On Apr 1, 5:26 pm, Scott Frazer <sfra...@gmail.com> wrote:> I''d love to know myself. All I know is that I spent a weekend trying > to figure out why my new installs were constantly generating 500 > messages. Then I discovered that Ubuntu also broke apt-get in such a > way as to prevent it from doing an install on first boot through an > init.d script.Okay, I figured out what I did wrong. Debian''s way for the SSL certs is to put them in /var/lib/puppet/ssl. If you run puppetd with an empty puppet.conf, your certs will go in /etc/puppet/ssl. My problem wasn''t with the preseed install, but the minimal puppet.conf file I created to bootstrap through to the puppet server (which in my network isn''t named "puppet") Sorry to hijack the thread, Scott --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---