I''ve been running puppet for nearly two years. As the number of clients have expanded so performance has eroded. I''ve done stop gaps solutions such as creating two puppet masters and feeding a fileserver off one of them and reducing the frequency that clients check in, but I knew they were stop gap solutions and not cutting the mustard. Last week I bit the bullet and created a new puppetmaster on Ubunty Hardy, installing from the 0.24.9 source. The bones of the config come from http://reductivelabs.com/trac/puppet/wiki/UsingMongrel And all as well last week and I had apache serving up 10 puppetmasters. I''d copied the ssl details from the previous server and existing clients were checking in, doing their puppety stuff and being happy. Today we needed to create a new node but no dice. On my client, when first starting puppetd I get: root@sn1204:~# puppetd --test warning: peer certificate won''t be verified in this SSL session err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error: 502 Proxy Error> /usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert'': Certificate retrieval failed: HTTP-Error: 502 Proxy Error (Puppet::Error) from /usr/sbin/puppetd:356 On the server I see this in syslog. Sep 8 19:22:52 puppet puppetmasterd[1965]: Client sn1204.bb2(xx.xx.xx.xx) requested unavailable functionality puppetca Which tied in with what I was seeing when I switched from mongrel to webrick as a test to debug this. http://www.pastie.org/609530 I have since upgraded the server to 0.25.0 but the messages are the same. All the clients are 0.24.4 (stock hardy) with a few gutsies. They''re all connecting fine. My puppet.conf from the server is at http://www.pastie.org/609537 and the apache conf at http://www.pastie.org/609541 #puppet on irc have been very helpful but have drawn a blank so far. Having peered at the code I assume the puppetca code is loaded as a module by the puppetmaster process and that is ''failing'' somehow/somewhere? Or not being loaded? Any pointers on how to debug further gratefully received. Thanks Ian --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Luke Kanies
2009-Sep-09 23:22 UTC
[Puppet Users] Re: puppetca issues after moving to mongrel
On Sep 8, 2009, at 11:30 AM, Ian Cottee wrote:> I''ve been running puppet for nearly two years. As the number of > clients have expanded so performance has eroded. I''ve done stop gaps > solutions such as creating two puppet masters and feeding a > fileserver off one of them and reducing the frequency that clients > check in, but I knew they were stop gap solutions and not cutting > the mustard. > > Last week I bit the bullet and created a new puppetmaster on Ubunty > Hardy, installing from the 0.24.9 source. The bones of the config > come from http://reductivelabs.com/trac/puppet/wiki/UsingMongrel > > And all as well last week and I had apache serving up 10 > puppetmasters. I''d copied the ssl details from the previous server > and existing clients were checking in, doing their puppety stuff and > being happy. > > Today we needed to create a new node but no dice. On my client, when > first starting puppetd I get: > > root@sn1204:~# puppetd --test > warning: peer certificate won''t be verified in this SSL session > err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error: > 502 Proxy Error> > /usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert'': > Certificate retrieval failed: HTTP-Error: 502 Proxy Error > (Puppet::Error) > from /usr/sbin/puppetd:356 > > On the server I see this in syslog. > > Sep 8 19:22:52 puppet puppetmasterd[1965]: Client > sn1204.bb2(xx.xx.xx.xx) requested unavailable functionality puppetca > > Which tied in with what I was seeing when I switched from mongrel to > webrick as a test to debug this. http://www.pastie.org/609530 > > I have since upgraded the server to 0.25.0 but the messages are the > same. All the clients are 0.24.4 (stock hardy) with a few gutsies. > They''re all connecting fine. > > My puppet.conf from the server is at http://www.pastie.org/609537 > and the apache conf at http://www.pastie.org/609541 > > #puppet on irc have been very helpful but have drawn a blank so far. > Having peered at the code I assume the puppetca code is loaded as a > module by the puppetmaster process and that is ''failing'' somehow/ > somewhere? Or not being loaded? > > Any pointers on how to debug further gratefully received.Do you have ''ca = false'' somewhere in your configuration? That''s the only thing I can think of that would cause the CA functionality not to be available. -- Fallacies do not cease to be fallacies because they become fashions. --G. K. Chesterton --------------------------------------------------------------------- Luke Kanies | http://reductivelabs.com | http://madstop.com --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---