Trying to setup a sandbox environment, and I''m running into some issues. When I run the system in --noop mode, everything works as it should (long list of options truncated to ...): [root@kvm001 ~]# puppetd ... --noop info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run notice: //dev_server/basenode/role_general/ntpd/File[/etc/localtime]/ensure: is file, should be link (noop) ... But when I run it without --noop, this happens: [root@kvm001 ~]# puppetd ... info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run warning: Certificate validation failed; consider using the certname configuration option err: //dev_server/basenode/role_general/ntpd/File[/etc/localtime]/ensure: change from file to link failed: Certificates were not trusted: certificate verify failed ... I''ve verified the servers are sync''d in time (both running NTP from the same servers), and I''ve verified that the hostnames all match up. These are VM''s running on a private network, but I''ve got the VM''s in the puppetmaster''s hosts file, so it can resolve them correctly, and the VM''s have matching /etc/hosts files as well, so I don''t think name resolution is the issue. Any ideas? -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Feb 12, 2010 at 8:50 AM, James Cammarata <jimi@sngx.net> wrote:> > Trying to setup a sandbox environment, and I''m running into some issues. > When I run the system in --noop mode, everything works as it should (long > list of options truncated to ...): > > [root@kvm001 ~]# puppetd ... --noop > info: Caching catalog at /var/lib/puppet/localconfig.yaml > notice: Starting catalog run > notice: > //dev_server/basenode/role_general/ntpd/File[/etc/localtime]/ensure: is > file, should be link (noop) > ... >But when I run it without --noop, this happens:> > [root@kvm001 ~]# puppetd ... > info: Caching catalog at /var/lib/puppet/localconfig.yaml > notice: Starting catalog run > warning: Certificate validation failed; consider using the certname > configuration option > err: //dev_server/basenode/role_general/ntpd/File[/etc/localtime]/ensure: > change from file to link failed: Certificates were not trusted: certificate > verify failed > ... > >that is strange, I know that puppetd does not create certificates when running with --noop mode. Seems like it could be related. Does this machine have a signed certificate?> I''ve verified the servers are sync''d in time (both running NTP from the > same servers), and I''ve verified that the hostnames all match up. These > are VM''s running on a private network, but I''ve got the VM''s in the > puppetmaster''s hosts file, so it can resolve them correctly, and the VM''s > have matching /etc/hosts files as well, so I don''t think name resolution is > the issue. > >> Any ideas? >I would try running the following on the puppet server:>puppetca --list --alland make sure that the names of all of the certificates are what you expect.> -- > This message has been scanned for viruses and > dangerous content by MailScanner, and is > believed to be clean. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> that is strange, I know that puppetd does not create certificates when > running with --noop mode. Seems like it could be related. Does thismachine> have a signed certificate? > > >> Any ideas? >> > > I would try running the following on the puppet server: > >>puppetca --list --all > > and make sure that the names of all of the certificates are what you > expect.I don''t know about that. I have checked with puppetca on the master before running the first time (or after --clean) and --noop seems to be creating the cert. It shows up after the first run when listing the certs, and the FQDN matches. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, 15 Feb 2010 00:24:10 -0600, James Cammarata <jimi@sngx.net> wrote:>> that is strange, I know that puppetd does not create certificates when >> running with --noop mode. Seems like it could be related. Does this > machine >> have a signed certificate? >> >> >>> Any ideas? >>> >> >> I would try running the following on the puppet server: >> >>>puppetca --list --all >> >> and make sure that the names of all of the certificates are what you >> expect. > > I don''t know about that. I have checked with puppetca on the masterbefore> running the first time (or after --clean) and --noop seems to be creating > the cert. It shows up after the first run when listing the certs, andthe> FQDN matches.This turned out to be user error. As I mentioned this is my sandbox environment, so I had copied the configs in from our development server. The issue was that I set the file bucket server in the main configuration, so my sandbox systems were trying to talk to our dev server to filebucket before replacing, thus the cert issues. -- This message has been scanned for viruses and dangerous content by MailScanner, and is believed to be clean. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.