Puppet users - Sep 2009 - puppetca issues after moving to mongrel

I''ve been running puppet for nearly two years. As the number of clients
have
expanded so performance has eroded. I''ve done stop gaps solutions such
as
creating two puppet masters and feeding a fileserver off one of them and
reducing the frequency that clients check in, but I knew they were stop gap
solutions and not cutting the mustard.

Last week I bit the bullet and created a new puppetmaster on Ubunty Hardy,
installing from the 0.24.9 source. The bones of the config come from
http://reductivelabs.com/trac/puppet/wiki/UsingMongrel

And all as well last week and I had apache serving up 10 puppetmasters.
I''d
copied the ssl details from the previous server and existing clients were
checking in, doing their puppety stuff and being happy.

Today we needed to create a new node but no dice. On my client, when first
starting puppetd I get:

root@sn1204:~# puppetd --test
warning: peer certificate won''t be verified in this SSL session
err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error: 502 Proxy
Error>
/usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert'':
Certificate retrieval failed: HTTP-Error: 502 Proxy Error (Puppet::Error)
    from /usr/sbin/puppetd:356

On the server I see this in syslog.

Sep  8 19:22:52 puppet puppetmasterd[1965]: Client sn1204.bb2(xx.xx.xx.xx)
requested unavailable functionality puppetca

Which tied in with what I was seeing when I switched from mongrel to webrick
as a test to debug this. http://www.pastie.org/609530

I have since upgraded the server to 0.25.0 but the messages are the same.
All the clients are 0.24.4 (stock hardy) with a few gutsies. They''re
all
connecting fine.

My puppet.conf from the server is at http://www.pastie.org/609537 and the
apache conf at http://www.pastie.org/609541

#puppet on irc have been very helpful but have drawn a blank so far. Having
peered at the code I assume the puppetca code is loaded as a module by the
puppetmaster process and that is ''failing'' somehow/somewhere?
Or not being
loaded?

Any pointers on how to debug further gratefully received.

Thanks

Ian

--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---

On Sep 8, 2009, at 11:30 AM, Ian Cottee wrote:
> I''ve been running puppet for nearly two years. As the number of  
> clients have expanded so performance has eroded. I''ve done stop
gaps
> solutions such as creating two puppet masters and feeding a  
> fileserver off one of them and reducing the frequency that clients  
> check in, but I knew they were stop gap solutions and not cutting  
> the mustard.
>
> Last week I bit the bullet and created a new puppetmaster on Ubunty  
> Hardy, installing from the 0.24.9 source. The bones of the config  
> come from http://reductivelabs.com/trac/puppet/wiki/UsingMongrel
>
> And all as well last week and I had apache serving up 10  
> puppetmasters. I''d copied the ssl details from the previous server
> and existing clients were checking in, doing their puppety stuff and  
> being happy.
>
> Today we needed to create a new node but no dice. On my client, when  
> first starting puppetd I get:
>
> root@sn1204:~# puppetd --test
> warning: peer certificate won''t be verified in this SSL session
> err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error:  
> 502 Proxy Error>
> /usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in
`request_cert'':
> Certificate retrieval failed: HTTP-Error: 502 Proxy Error  
> (Puppet::Error)
>     from /usr/sbin/puppetd:356
>
> On the server I see this in syslog.
>
> Sep  8 19:22:52 puppet puppetmasterd[1965]: Client  
> sn1204.bb2(xx.xx.xx.xx) requested unavailable functionality puppetca
>
> Which tied in with what I was seeing when I switched from mongrel to  
> webrick as a test to debug this. http://www.pastie.org/609530
>
> I have since upgraded the server to 0.25.0 but the messages are the  
> same. All the clients are 0.24.4 (stock hardy) with a few gutsies.  
> They''re all connecting fine.
>
> My puppet.conf from the server is at http://www.pastie.org/609537  
> and the apache conf at http://www.pastie.org/609541
>
> #puppet on irc have been very helpful but have drawn a blank so far.  
> Having peered at the code I assume the puppetca code is loaded as a  
> module by the puppetmaster process and that is ''failing''
somehow/
> somewhere? Or not being loaded?
>
> Any pointers on how to debug further gratefully received.
Do you have ''ca = false'' somewhere in your configuration? 
That''s the
only thing I can think of that would cause the CA functionality not to  
be available.

-- 
Fallacies do not cease to be fallacies because they become fashions.
     --G. K. Chesterton
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com


--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---