Puppet users - Jan 2010 - SSL Issues when Puppet master and client are on the same machine

Hi

I''ve searched high and low for the answer to this but can''t
find any
relevant solutions.  I know that when the master and client are on
different hosts it''s pretty simple to solve most SSL issues...

1) stop puppetd on the client

2) Clean the cert on the master - puppetca --clean <host>

3) Recursively delete /etc/puppet/ssl on the client

4) Restart puppetd on the client

This approach does not work when the master and client are on the same
machine, I''ve tried it (stopping puppetmasterd also before deleting)
I got into this situation by doing puppetca --clean --all on the
puppetmaster (yeah, probably shouldn''t have done that).  All other
Puppet clients are working fine after that command.  Anyone got any
ideas?

Thank you

Puppet 0.25.1
CentOS 5.3

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 1/18/10 11:40 AM, Jamie wrote:
> Hi
>
> I''ve searched high and low for the answer to this but
can''t find any
> relevant solutions.  I know that when the master and client are on
> different hosts it''s pretty simple to solve most SSL issues...
>
Sounds like you might need to split some parameters up from [main] to [puppetd]
and [puppetmasterd]

Post your puppet.conf?

-scott

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Oh!  You''re probably right :)  Can  you elaborate or point me in the
right direction?

[main]

    # Default (/var/puppet/log)
    logdir = /var/log/puppet

    # Default (/var/puppet/run)
    rundir = /var/run/puppet

    # Default (/etc/puppet/modules:/usr/share/puppet/modules)
    modulepath = /etc/puppet/modules

    # How often (in seconds) puppetd connects to the master (default:
1800)
    runinterval = 900

    # Whether to flush logs to disk immediately
    autoflush = true

    # Needed for reverse proxy
    ssl_client_header = HTTP_X_SSL_SUBJECT

    # For external nodes via cobbler "systems"
    external_nodes = /usr/bin/cobbler-ext-nodes
    node_terminus = exec


On Jan 18, 12:00 pm, Scott Smith <sc...@ohlol.net>
wrote:
> On 1/18/10 11:40 AM, Jamie wrote:
>
> > Hi
>
> > I''ve searched high and low for the answer to this but
can''t find any
> > relevant solutions.  I know that when the master and client are on
> > different hosts it''s pretty simple to solve most SSL
issues...
>
> Sounds like you might need to split some parameters up from [main] to
[puppetd] and [puppetmasterd]
>
> Post your puppet.conf?
>
> -scott
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 1/18/10 1:11 PM, Jamie wrote:
> Oh!  You''re probably right :)  Can  you elaborate or point me in
the
> right direction?
>
Umm, you don''t have [puppetd] and [puppetmasterd] sections?

At the bare minimum, you probably need to tell puppetmasterd and puppetd to use
different hostnames.

http://docs.reductivelabs.com/references/latest/configuration.html

Check out certname.

-scott

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Ok, I made a [puppetmasterd] section, not sure what I''d want to put
into a [puppetd] section though that isn''t fine in a [main] section.

[main]

    # Default (/var/puppet/log)
    logdir = /var/log/puppet

    # Default (/var/puppet/run)
    rundir = /var/run/puppet

    # How often (in seconds) puppetd connects to the master (default:
1800)
    runinterval = 900

    # Whether to flush logs to disk immediately
    autoflush = true

[puppetmasterd]

    # Default (/etc/puppet/modules:/usr/share/puppet/modules)
    modulepath = /etc/puppet/modules

    # Needed for reverse proxy
    ssl_client_header = HTTP_X_SSL_SUBJECT

    # For external nodes via cobbler "systems"
    external_nodes = /usr/bin/cobbler-ext-nodes
    node_terminus = exec


I don''t understand how certname would help me though (assuming my
puppet server is called puppet01 with a CNAME of puppet).  It all
worked fine without specifying certname prior to me cleaning out all
the certs.

Could I do something like this?

[puppetmasterd]
ssldir = /etc/puppet/puppetmaster_ssl

[puppetd]
ssldir = /etc/puppet/ssl


Here''s the (cleaned) output I get trying to run puppetd.

$ sudo puppetd -td
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/
dscl does not exist
debug: Puppet::Type::User::ProviderLdap: true value when expecting
false
debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does
not exist
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File
[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/private_keys/puppet01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/
puppet/ssl/certs]
debug: /File[/etc/puppet/ssl/public_keys/puppet01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/public_keys]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/
puppet]
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/
state]
debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/
ssl]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/
puppet/ssl]
debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/
puppet/state]
debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/
puppet/state]
debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/certs/puppet01.example.com.pem]:
Autorequiring File[/etc/puppet/ssl/certs]
debug: Finishing transaction 23703295081660 with 0 changes
debug: Using cached certificate for ca
debug: Using cached certificate for puppet01.example.com
debug: Loaded state in 0.01 seconds
debug: Using cached certificate for ca
debug: Using cached certificate for puppet01.example.com
err: Could not retrieve catalog from remote server: certificate verify
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run




On Jan 18, 1:29 pm, Scott Smith <sc...@ohlol.net>
wrote:
> On 1/18/10 1:11 PM, Jamie wrote:
>
> > Oh!  You''re probably right :)  Can  you elaborate or point me
in the
> > right direction?
>
> Umm, you don''t have [puppetd] and [puppetmasterd] sections?
>
> At the bare minimum, you probably need to tell puppetmasterd and puppetd to
use different hostnames.
>
> http://docs.reductivelabs.com/references/latest/configuration.html
>
> Check out certname.
>
> -scott
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.