Puppet users - Apr 2009 - Allowing unauthenticated client access to puppetca.getcert

So a few days ago, I started seeing large numbers of the following
error in the logs of our puppetmaster (large meaning 5 every second):

Apr 14 14:49:09 puppet-server puppetmasterd[32314]: Allowing
unauthenticated client localhost(127.0.0.1) access to puppetca.getcert

Googling this yielded one possible explanation, permissions on the ssl
directories, however adjusting the permissions didn''t change anything,
we''re still getting the error.  Also, the error only lists
"localhost"
as the problem, there''s never any reference to any of the other
servers using puppet and all the servers are able to use puppet with
no problems.

We''ve been running 0.24.7 on ubuntu 8.04 for a while now and the
message only started showing up on April, 10th.  I tried upgrading to
0.24.8 but we''re still getting the errors.

Anyone have any ideas what might be causing this?

Cheers,
Scott
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

So this turned out to be caused by the fact that I had changed the
name of one of our servers and I hadn''t signed the cert for it yet.

The error message is not very helpful at all since it references
"localhost" instead of the server that''s trying to
authenticate so
I''ve filed a bug for this:

http://projects.reductivelabs.com/issues/2159

Cheers,
Scott

On Apr 14, 11:55 pm, Scott <scott...@gmail.com>
wrote:
> So a few days ago, I started seeing large numbers of the following
> error in the logs of our puppetmaster (large meaning 5 every second):
>
> Apr 14 14:49:09 puppet-server puppetmasterd[32314]: Allowing
> unauthenticated client localhost(127.0.0.1) access to puppetca.getcert
>
> Googling this yielded one possible explanation, permissions on the ssl
> directories, however adjusting the permissions didn''t change
anything,
> we''re still getting the error.  Also, the error only lists
"localhost"
> as the problem, there''s never any reference to any of the other
> servers using puppet and all the servers are able to use puppet with
> no problems.
>
> We''ve been running 0.24.7 on ubuntu 8.04 for a while now and the
> message only started showing up on April, 10th.  I tried upgrading to
> 0.24.8 but we''re still getting the errors.
>
> Anyone have any ideas what might be causing this?
>
> Cheers,
> Scott
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Just so you know, part of the problem too is that Debian (I think)  
ships with waitforcert=0 in a release in which Puppet thinks that  
means "keep trying" rather than "exit", which means that
your puppet
client will just hit the server as fast and as hard as it can.

The easiest way to track down this kind of issue can sometimes be to  
look at the logs of your http proxy; Puppet actually doesn''t have host
information here, because you''ve got that proxy, but the proxy knows  
who''s contacting you.

Hopefully we can add better logs in Puppet, too, though, so thanks for  
filing the bug.

On Apr 14, 2009, at 5:41 PM, Scott wrote:
>
> So this turned out to be caused by the fact that I had changed the
> name of one of our servers and I hadn''t signed the cert for it
yet.
>
> The error message is not very helpful at all since it references
> "localhost" instead of the server that''s trying to
authenticate so
> I''ve filed a bug for this:
>
> http://projects.reductivelabs.com/issues/2159
>
> Cheers,
> Scott
>
> On Apr 14, 11:55 pm, Scott <scott...@gmail.com> wrote:
>> So a few days ago, I started seeing large numbers of the following
>> error in the logs of our puppetmaster (large meaning 5 every second):
>>
>> Apr 14 14:49:09 puppet-server puppetmasterd[32314]: Allowing
>> unauthenticated client localhost(127.0.0.1) access to  
>> puppetca.getcert
>>
>> Googling this yielded one possible explanation, permissions on the  
>> ssl
>> directories, however adjusting the permissions didn''t change  
>> anything,
>> we''re still getting the error.  Also, the error only lists  
>> "localhost"
>> as the problem, there''s never any reference to any of the
other
>> servers using puppet and all the servers are able to use puppet with
>> no problems.
>>
>> We''ve been running 0.24.7 on ubuntu 8.04 for a while now and
the
>> message only started showing up on April, 10th.  I tried upgrading to
>> 0.24.8 but we''re still getting the errors.
>>
>> Anyone have any ideas what might be causing this?
>>
>> Cheers,
>> Scott
> >

-- 
No matter how rich you become, how famous or powerful, when you die
the size of your funeral will still pretty much depend on the
weather. -- Michael Pritchard
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Luke Kanies wrote:
> Just so you know, part of the problem too is that Debian (I think)  
> ships with waitforcert=0 in a release in which Puppet thinks that  
> means "keep trying" rather than "exit", which means
that your puppet
> client will just hit the server as fast and as hard as it can.

... and in the process, becomes a problem for debian/ubuntu users one 
after another.  :-(


-- 
Kyle Cordes
http://kylecordes.com

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---