Puppet users - Sep 2009 - certificate errors when file serving

I am attempting to set up file serving in a testing environment.  I
currently have puppet/puppetmaster running "successfully" in that I
have users and hosts updating correctly across all clients, but when I
try to source /etc/sudoers, I am getting the following errors on my
client:

Sep  2 08:30:53 vm1 puppetd[20098]: Certificate validation failed;
consider using the certname configuration option
Sep  2 08:30:53 vm1 puppetd[20098]: (//Node[default]/baseclass/sudo/
File[/etc/sudoers]/source) change from {md5}
7979b7220807b750f3a1e45e93b0da3f to puppet://vm1.mydomain.com/files/sudoers
failed: Certificates were not trusted: hostname not match with the
server certificate
Sep  2 08:30:53 vm1 puppetd[20098]: (//Node[default]/baseclass/hosts/
Host[vm1.mydomain.com]/alias) alias changed ''vm1 foo'' to
''vm1''
Sep  2 08:30:53 vm1 puppetd[20098]: Finished catalog run in 0.24
seconds

As you can see, an /etc/hosts alias is correctly updating -
previously, it also added some users for me.

The puppetmaster is: vm1.mydomain.com (domain name changed to protect
the guilty)
The client is: vm2.mydomain.com

Both of the hostnames are confirmed by running `hostname` as well as
facter fqdn

Here is /etc/puppet.conf (on the client)
[main]
    vardir = /var/lib/puppet
    logdir = /var/log/puppet
    rundir = /var/run/puppet
    ssldir = $vardir/ssl

[puppetd]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    server = vm1.mydomain.com

I have also tried adding "certname = vm1.mydomain.com" on both the
client and server to resolve the issue, to no avail.  In between every
attempt, I have nuked everything under /var/lib/puppet on both the
client and server, restarted both and resigned the certificates with
puppetca --sign hostname.

Both clocks are in sync.  I looked at
http://reductivelabs.com/trac/puppet/wiki/CertificatesAndSecurity
and ran the following command on the server, but am not sure exactly
what I''m looking for:
[root@vm1 lib]# openssl x509 -text -noout -in /var/lib/puppet/ssl/
certs/vm1.mydomain.com.pem | grep -A2 Validity
        Validity
            Not Before: Sep  1 12:24:33 2009 GMT
            Not After : Aug 31 12:24:33 2014 GMT


Here is my /etc/puppet/manifests/classes/sudo.pp definition:
class sudo {
    file { "/etc/sudoers":
        owner => "root",
        group => "root",
        mode  => 440,
        source => "puppet://vm1.mydomain.com/files/sudoers"
    }
}

...and my /etc/puppet/fileserver.conf (temporarily set to allow *
until I sort this out)
[files]
  path /etc/puppet/files
  allow *

Any ideas?  This configuration seems pretty dead simple and it is half
working, it''s just not serving files.  I am using puppet 0.24.8-1 on
CentOS 5.3 from the epel yum repository.

Thanks in advance for any help you might be able to provide.

Aaron

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> Any ideas?  This configuration seems pretty dead simple and it is half
> working, it''s just not serving files.  I am using puppet 0.24.8-1
on
> CentOS 5.3 from the epel yum repository.
Do you have a CNAME record for "puppet" in DNS?  If not, try adding a
hosts entry called "puppet" to your hosts file.

Also, try specifying your puppetserver on the command line:

/usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t

--Justin

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

I added puppet to my hosts.pp file and the change was picked up by the
client, but I still get the following errors:

Sep  2 09:26:19 vm1 puppetd[22296]: Certificate validation failed;
consider using the certname configuration option
Sep  2 09:26:19 vm1 puppetd[22296]: (//Node[default]/baseclass/sudo/
File[/etc/sudoers]/source) change from {md5}
7979b7220807b750f3a1e45e93b0da3f to puppet://vm1.mydomain.com/files/sudoers
failed: Certificates were not trusted: hostname not match with the
server certificate


I then ran the command you mention and get the following:
debug: Creating default schedules
debug: Failed to load library ''ldap'' for feature
''ldap''
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/public_keys/vm2.bzzagent.com.pem]: Autorequiring File[/var/
lib/puppet/ssl/public_keys]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/public_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/csr_vm2.bzzagent.com.pem]: Autorequiring File[/var/lib/
puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/lib/
puppet/state]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/var/
lib/puppet/classes.txt]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/certs/vm2.bzzagent.com.pem]: Autorequiring File[/var/lib/
puppet/ssl/certs]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/private_keys/vm2.bzzagent.com.pem]: Autorequiring File[/var/
lib/puppet/ssl/private_keys]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/private_keys]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/etc/
puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/lib/
puppet/lib]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/certs]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/private]: Autorequiring File[/var/lib/puppet/ssl]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[main]/File[/var/lib/
puppet/ssl]: Autorequiring File[/var/lib/puppet]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[ssl]/File[/var/lib/
puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/
certs]
debug: /Settings[/etc/puppet/puppet.conf]/Settings[puppetd]/File[/var/
lib/puppet/state/state.yaml]: Autorequiring File[/var/lib/puppet/
state]
debug: Finishing transaction -606358058 with 0 changes
debug: Loaded state in 0.00 seconds
debug: Retrieved facts in 0.18 seconds
debug: Retrieving catalog
debug: Calling puppetmaster.getconfig
debug: Retrieved catalog in 0.15 seconds
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Puppet::Type::User::ProviderNetinfo: file niutil does not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
not exist
debug: Puppet::Type::Host::ProviderNetinfo: file niutil does not exist
debug: Puppet::Network::Client::File: defining fileserver.describe
debug: Puppet::Network::Client::File: defining fileserver.list
debug: Puppet::Network::Client::File: defining fileserver.retrieve
debug: Creating default schedules
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
debug: Loaded state in 0.00 seconds
debug: Prefetching parsed resources for host
debug: Calling fileserver.describe
debug: Calling fileserver.retrieve
debug: //Node[default]/baseclass/sudo/File[/etc/sudoers]/source:
Executing ''diff /etc/sudoers /tmp/puppet-diffing.22773.0''
83c83
< # %wheel      ALL=(ALL)       ALL
---
> %wheel        ALL=(ALL)       ALL
debug: //Node[default]/baseclass/sudo/File[/etc/sudoers]: Changing
source
debug: //Node[default]/baseclass/sudo/File[/etc/sudoers]: 1 change(s)
debug: Calling puppetbucket.addfile
warning: Certificate validation failed; consider using the certname
configuration option
err: //Node[default]/baseclass/sudo/File[/etc/sudoers]/source: change
from {md5}7979b7220807b750f3a1e45e93b0da3f to
puppet://vm1.mydomain.com/files/sudoers
failed: Certificates were not trusted: hostname not match with the
server certificate
debug: Finishing transaction -612505048 with 1 changes
debug: Storing state
debug: Stored state in 0.01 seconds
notice: Finished catalog run in 0.24 seconds


Looks like it''s retrieving and diff''ing the file, but not
writing it.

On Sep 2, 9:11 am, Justin Kinney <jaki...@gmail.com>
wrote:
> > Any ideas?  This configuration seems pretty dead simple and it is half
> > working, it''s just not serving files.  I am using puppet
0.24.8-1 on
> > CentOS 5.3 from the epel yum repository.
>
> Do you have a CNAME record for "puppet" in DNS?  If not, try
adding a
> hosts entry called "puppet" to your hosts file.
>
> Also, try specifying your puppetserver on the command line:
>
> /usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t
>
> --Justin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> Looks like it''s retrieving and diff''ing the file, but not
writing it.
That''s probably because the certificate is not trusted.  Can you try
the following (in this order):

on the client:
rm -rf /var/lib/puppet/ssl/*

on the server:
puppetca --clean vm2.guilty.com

on the client:
/usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t

on the server:
puppetca --sign vm2.guilty.com

on the client:
/usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t


--Justin

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

This is exactly the sequence of steps that I have been doing over and
over like an insane person :).  The certificate gets signed fine, and
puppet scripts are running, but serving files is failing with the
errors above.  Just to be sure, I tried exactly your steps and got the
same results.

Thank you for your help,
Aaron

On Sep 2, 12:35 pm, Justin Kinney <jaki...@gmail.com>
wrote:
> > Looks like it''s retrieving and diff''ing the file,
but not writing it.
>
> That''s probably because the certificate is not trusted.  Can you
try
> the following (in this order):
>
> on the client:
> rm -rf /var/lib/puppet/ssl/*
>
> on the server:
> puppetca --clean vm2.guilty.com
>
> on the client:
> /usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t
>
> on the server:
> puppetca --sign vm2.guilty.com
>
> on the client:
> /usr/sbin/puppetd --onetime --no-daemonize --server vm1.guilty.com -d -t
>
> --Justin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

So, I tried a random file in another directory and guess what, it
worked

class testfile {
    file { "/tmp/testfile.txt":
        source => "puppet:///files/testfile.txt"
    }
}

The file ended up in /tmp/testfile.txt.

sudoers still doesn''t work - thinking it was permissions based (I had
it set to 440), I set it to 640 and the problem still exists.  I''m at
a bit of a loss here.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Ok - so the error occurs if the file already exists.  I modified my
test file, restarted, and I now get the same error:
Sep  2 15:20:09 vm1 puppetd[3205]: (//Node[default]/baseclass/testfile/
File[/tmp/testfile.txt]/source) change from {md5}
f47c75614087a8dd938ba4acff252494 to puppet:///files/testfile.txt
failed: Certificates were not trusted: hostname not match with the
server certificate

Any ideas what is going on here?

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Wed, Sep 2, 2009 at 12:15 PM, ABrown<aaron@9minutesnooze.com>
wrote:
>
> So, I tried a random file in another directory and guess what, it
> worked
>
> class testfile {
>    file { "/tmp/testfile.txt":
>        source => "puppet:///files/testfile.txt"
>    }
> }
Did this work because you switched from:

source => "puppet://vm1.mydomain.com/files/sudoers"

to

source => "puppet:///files/testfile.txt"

which automagically refers to the current host?


>
> The file ended up in /tmp/testfile.txt.
>
> sudoers still doesn''t work - thinking it was permissions based (I
had
> it set to 440), I set it to 640 and the problem still exists.  I''m
at
> a bit of a loss here.
> >
>


-- 
Nigel Kersten
nigelk@google.com
System Administrator
Google Inc.

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

No, it seems to have everything to do with replacing an existing
file.  I changed the file on the server and it couldn''t update it.  I
remove the file on the client and it updated fine.

It happens after the puppetbuck.addfile, as shown in the debug dump
above.

I added replace => true, and it didn''t help.

On Sep 2, 3:33 pm, Nigel Kersten <nig...@google.com>
wrote:
> On Wed, Sep 2, 2009 at 12:15 PM, ABrown<aa...@9minutesnooze.com>
wrote:
>
> Did this work because you switched from:
>
> source => "puppet://vm1.mydomain.com/files/sudoers"
>
> to
>
> source => "puppet:///files/testfile.txt"
>
> which automagically refers to the current host?
>
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> Ok - so the error occurs if the file already exists.  I modified my
> test file, restarted, and I now get the same error:
> Sep  2 15:20:09 vm1 puppetd[3205]: (//Node[default]/baseclass/testfile/
> File[/tmp/testfile.txt]/source) change from {md5}
> f47c75614087a8dd938ba4acff252494 to puppet:///files/testfile.txt
> failed: Certificates were not trusted: hostname not match with the
> server certificate
>
> Any ideas what is going on here?
Since you were able to create a file that was previously non-existent,
it seems to have to do with the filebucketing of the existing file,
doesn''t it?  (since filebucketing wouldn''t happen at this
point).

Can you add something like the following to your site.pp?

filebucket { main: server => ''vm1.guilty.com'' }

--Justin

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Booyah!  That was it.  I had the hostname set without the fqdn there.
Thank you very much for sticking with me today.

Aaron

On Sep 2, 4:21 pm, Justin Kinney <jaki...@gmail.com>
wrote:
> > Ok - so the error occurs if the file already exists.  I modified my
> > test file, restarted, and I now get the same error:
> > Sep  2 15:20:09 vm1 puppetd[3205]:
(//Node[default]/baseclass/testfile/
> > File[/tmp/testfile.txt]/source) change from {md5}
> > f47c75614087a8dd938ba4acff252494 to puppet:///files/testfile.txt
> > failed: Certificates were not trusted: hostname not match with the
> > server certificate
>
> > Any ideas what is going on here?
>
> Since you were able to create a file that was previously non-existent,
> it seems to have to do with the filebucketing of the existing file,
> doesn''t it?  (since filebucketing wouldn''t happen at this
point).
>
> Can you add something like the following to your site.pp?
>
> filebucket { main: server => ''vm1.guilty.com'' }
>
> --Justin
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---