Puppet users - Sep 2009 - Even the "Simplest Puppet Install Recipe" apparently isn't simple enough

I''ve tried this over and over, and I just cannot get it to work.

I''m trying to do a proof of concept on puppet, so I''m using
two CentOS
5.3 systems running in VMs on separate hardware (i.e. the two VMs are
not on the same physical box).  I''ve built the systems from scratch
numerous times, and then pulled down puppet from the rpmforge repo.
In the course of doing so, yum also pulls down the dependencies, which
include facter, ruby and ruby-libs.  Everything installs swimmingly.

The box I am using as the server (named vm27) is also running bind and
acting as the name server.  The only entries in the domain ("my.net";
yes, it''s probably taken on the ''net but I''m running
isolated) are
vm27 - 10.192.131.27, and the client - vm33 (10.192.131.33).  There is
also a CNAME for ''puppet'' which points to vm27.

At this point, I create the /etc/puppet/manifests/site.pp and /etc/
puppet/manifests/classes/sudo.pp files as described at
http://reductivelabs.com/trac/puppet/wiki/SimplestPuppetInstallRecipe.
I then do a ''service start puppetmaster'' on vm27.  All starts
well, as
far as I can tell.

I then go to the client (vm33) and type ''puppetd --verbose''. 
Below is
the output:

#####

[root@vm33 etc]# puppetd --verbose
info: Creating a new certificate request for vm33.my.net
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
vm33.my.net.pem
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate
notice: Got signed certificate
notice: Starting Puppet client version 0.22.4
err: Could not retrieve configuration: Certificates were not trusted:
hostname not match with the server certificate
err: Could not run Puppet::Network::Client::Master: Cannot connect to
server and there is no cached configuration

#####

I constantly get the error above (about the hostname not matching the
server cert).  I''ve scoured the web for answers, found very few, and
none apparently apply to me.

Is there any chance someone on this list could set me straight on
this?  I''d really love to try this product out, but these issues are
beginning to drive me batty.

Thanks
Mike

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

Mike G. wrote:
> I''ve tried this over and over, and I just cannot get it to work.
>
> I''m trying to do a proof of concept on puppet, so I''m
using two CentOS
> 5.3 systems running in VMs on separate hardware (i.e. the two VMs are
> not on the same physical box).  I''ve built the systems from
scratch
> numerous times, and then pulled down puppet from the rpmforge repo.
> In the course of doing so, yum also pulls down the dependencies, which
> include facter, ruby and ruby-libs.  Everything installs swimmingly.
>
> The box I am using as the server (named vm27) is also running bind and
> acting as the name server.  The only entries in the domain
("my.net";
> yes, it''s probably taken on the ''net but I''m
running isolated) are
> vm27 - 10.192.131.27, and the client - vm33 (10.192.131.33).  There is
> also a CNAME for ''puppet'' which points to vm27.
>
> At this point, I create the /etc/puppet/manifests/site.pp and /etc/
> puppet/manifests/classes/sudo.pp files as described at
> http://reductivelabs.com/trac/puppet/wiki/SimplestPuppetInstallRecipe.
> I then do a ''service start puppetmaster'' on vm27.  All
starts well, as
> far as I can tell.
>
> I then go to the client (vm33) and type ''puppetd
--verbose''.  Below is
> the output:
>
> #####
>
> [root@vm33 etc]# puppetd --verbose
> info: Creating a new certificate request for vm33.my.net
> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
> vm33.my.net.pem
> warning: peer certificate won''t be verified in this SSL session
> notice: Did not receive certificate
> notice: Got signed certificate
> notice: Starting Puppet client version 0.22.4
>   
That''s a very old version. Better try with 0.24.8 from EPEL instead of
rpmforge.
> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
> err: Could not run Puppet::Network::Client::Master: Cannot connect to
> server and there is no cached configuration
>   
Did you sign the cert on the puppet master? puppetca --list then
puppetca --sign vm33.my.net or puppetca --sign --all

-- 

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK   

OFFICE 	+44 (0) 1273 666 350
FAX 	+44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

> 
> [root@vm33 etc]# puppetd --verbose
> info: Creating a new certificate request for vm33.my.net
> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
> vm33.my.net.pem
> warning: peer certificate won''t be verified in this SSL session
> notice: Did not receive certificate
> notice: Got signed certificate
> notice: Starting Puppet client version 0.22.4
> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
Here''s the probable problem.  If you''ve not modified the
puppet.conf on the client, it''ll be connecting to "puppet"
(non-FQDN) by default.  The certificate on the server, however, will by default
be the FQDN of the server itself (so
vm27.my.net), which doesn''t match "puppet"  You have two
options:

1) Change puppet.conf on the client, set "servername = vm27.my.net",
or
2) On the puppetmaster, edit puppet.conf and set "certname=puppet",
stop puppetmaster, delete the certificates
(/var/lib/puppet/ssl/* is effective, if brutal), then start puppetmaster again
so it''ll regenerate the certificates.

I went with the latter, so that a simple packaged install of the puppet clients
will automatically find the server
without having to customise the config file in the package, or otherwise get the
config file out to the client.  YMMV:
openssl s_client -showcerts -connect puppet:8140
is a useful command to see what the name on the certificate is, if the above
doesn''t work.
> Thanks
> Mike
Hope that points you in the right direction.

-- 
Craig Miskell
Senior Systems Administrator
Opus International Consultants
I wish there was a knob on the TV to turn up the intelligence. There''s
  a knob called "brightness", but it doesn''t work.
                 -- Gallagher

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---