Puppet users - Apr 2010 - scaling up puppetmasterd by cloning puppetmasterd

I apologized ahead of time if this post shouldn''t go here but I having
been knocking my heading for the last two days trying to get over the
following error while trying to "clone" my primary puppetmasterd
because we have outgrown one puppetmasterd setup.

I have basically set up a 2nd instance of our primary puppetmasterd
and rsync''ed over /var/lib/puppet/ssl/ from the primary to the
secondary puppetmasterd.  The client ran to completion (and recorded
the log in /var/lib/puppet/report/) but the file copying statement
were failing:
(see log below)

Failed to generate additional resources during transaction:
Certificates were not trusted: hostname was not match with the server
certificate

I am sorta desperate at this point and am thinking of trying to hack
the libraries....

Any advice would be appreciate.  I am running 0.24.6-1.  Thanks in
advance.




EQX root@xen-pup-dash:/etc/puppet# puppetd -vt
info: Loading fact kernelrelease
info: Loading fact disk_facts
info: Loading fact facts
info: Loading fact www_pool
info: Retrieving facts
notice: /File[/var/lib/puppet/facts]/checksum: checksum changed
''{mtime}Sat Jan 30 16:44:27 -0800 2010'' to
''{mtime}Sat Jan 30 16:44:28
-0800 2010''
info: Loading fact kernelrelease
info: Loading fact disk_facts
info: Loading fact facts
info: Loading fact www_pool
info: Caching catalog at /var/lib/puppet/localconfig.yaml
notice: Starting catalog run
warning: Certificate validation failed; consider using the certname
configuration option
err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
generate additional resources during transaction: Certificates were
not trusted: hostname was not match with the server certificate
warning: Certificate validation failed; consider using the certname
configuration option
err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
retrieve current state of resource: Certificates were not trusted:
hostname was not match with the server certificate Could not describe /
files/server-configs/eqx-sv2/common/home/scripts: Certificates were
not trusted: hostname was not match with the server certificate at /
etc/puppet/manifests/eqx-sv2/production/classes/common.pp:251
notice: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Dependency
file[/home/scripts] has 1 failures
warning: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Skipping
because of failed dependencies
...
...
...

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Apr 21, 2010, at 3:59 PM, Brian Lam wrote:
> I apologized ahead of time if this post shouldn''t go here but I
having
> been knocking my heading for the last two days trying to get over the
> following error while trying to "clone" my primary puppetmasterd
> because we have outgrown one puppetmasterd setup.
> 
> I have basically set up a 2nd instance of our primary puppetmasterd
> and rsync''ed over /var/lib/puppet/ssl/ from the primary to the
> secondary puppetmasterd.  The client ran to completion (and recorded
> the log in /var/lib/puppet/report/) but the file copying statement
> were failing:
> (see log below)
> 
> Failed to generate additional resources during transaction:
> Certificates were not trusted: hostname was not match with the server
> certificate
> 
> I am sorta desperate at this point and am thinking of trying to hack
> the libraries....
> 
> Any advice would be appreciate.  I am running 0.24.6-1.  Thanks in
> advance.
> 
> 
> 
> 
> EQX root@xen-pup-dash:/etc/puppet# puppetd -vt
> info: Loading fact kernelrelease
> info: Loading fact disk_facts
> info: Loading fact facts
> info: Loading fact www_pool
> info: Retrieving facts
> notice: /File[/var/lib/puppet/facts]/checksum: checksum changed
> ''{mtime}Sat Jan 30 16:44:27 -0800 2010'' to
''{mtime}Sat Jan 30 16:44:28
> -0800 2010''
> info: Loading fact kernelrelease
> info: Loading fact disk_facts
> info: Loading fact facts
> info: Loading fact www_pool
> info: Caching catalog at /var/lib/puppet/localconfig.yaml
> notice: Starting catalog run
> warning: Certificate validation failed; consider using the certname
> configuration option
> err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> generate additional resources during transaction: Certificates were
> not trusted: hostname was not match with the server certificate
> warning: Certificate validation failed; consider using the certname
> configuration option
> err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> retrieve current state of resource: Certificates were not trusted:
> hostname was not match with the server certificate Could not describe /
> files/server-configs/eqx-sv2/common/home/scripts: Certificates were
> not trusted: hostname was not match with the server certificate at /
> etc/puppet/manifests/eqx-sv2/production/classes/common.pp:251
> notice: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Dependency
> file[/home/scripts] has 1 failures
> warning: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Skipping
> because of failed dependencies
> ...
> ...
> ...
I''m pretty sure that the server name that the clients see
doesn''t match the name on the certificate the server is using to
authenticate.  I''m not sure what the best way around this is.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I wonder if there is any way to hack to turn off ssl because I need to
really get this to work.  We are running puppet w/i our internal
network so I can give up security / ssl to get it to work.  Maybe I
need to modify puppetmaster client / server to just pass a "true" at
this pt.

On Apr 21, 7:07 pm, Patrick <kc7...@gmail.com>
wrote:
> On Apr 21, 2010, at 3:59 PM, Brian Lam wrote:
>
>
>
> > I apologized ahead of time if this post shouldn''t go here but
I having
> > been knocking my heading for the last two days trying to get over the
> > following error while trying to "clone" my primary
puppetmasterd
> > because we have outgrown one puppetmasterd setup.
>
> > I have basically set up a 2nd instance of our primary puppetmasterd
> > and rsync''ed over /var/lib/puppet/ssl/ from the primary to
the
> > secondary puppetmasterd.  The client ran to completion (and recorded
> > the log in /var/lib/puppet/report/) but the file copying statement
> > were failing:
> > (see log below)
>
> > Failed to generate additional resources during transaction:
> > Certificates were not trusted: hostname was not match with the server
> > certificate
>
> > I am sorta desperate at this point and am thinking of trying to hack
> > the libraries....
>
> > Any advice would be appreciate.  I am running 0.24.6-1.  Thanks in
> > advance.
>
> > EQX root@xen-pup-dash:/etc/puppet# puppetd -vt
> > info: Loading fact kernelrelease
> > info: Loading fact disk_facts
> > info: Loading fact facts
> > info: Loading fact www_pool
> > info: Retrieving facts
> > notice: /File[/var/lib/puppet/facts]/checksum: checksum changed
> > ''{mtime}Sat Jan 30 16:44:27 -0800 2010'' to
''{mtime}Sat Jan 30 16:44:28
> > -0800 2010''
> > info: Loading fact kernelrelease
> > info: Loading fact disk_facts
> > info: Loading fact facts
> > info: Loading fact www_pool
> > info: Caching catalog at /var/lib/puppet/localconfig.yaml
> > notice: Starting catalog run
> > warning: Certificate validation failed; consider using the certname
> > configuration option
> > err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> > generate additional resources during transaction: Certificates were
> > not trusted: hostname was not match with the server certificate
> > warning: Certificate validation failed; consider using the certname
> > configuration option
> > err: //Node[xen-pup-dash]/common/File[/home/scripts]: Failed to
> > retrieve current state of resource: Certificates were not trusted:
> > hostname was not match with the server certificate Could not describe
/
> > files/server-configs/eqx-sv2/common/home/scripts: Certificates were
> > not trusted: hostname was not match with the server certificate at /
> > etc/puppet/manifests/eqx-sv2/production/classes/common.pp:251
> > notice: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> > update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Dependency
> > file[/home/scripts] has 1 failures
> > warning: //Node[xen-pup-dash]/common/Remote_file[/home/scripts/
> > update.whoami.sh]/File[/home/scripts/update.whoami.sh]: Skipping
> > because of failed dependencies
> > ...
> > ...
> > ...
>
> I''m pretty sure that the server name that the clients see
doesn''t match the name on the certificate the server is using to
authenticate.  I''m not sure what the best way around this is.
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group
athttp://groups.google.com/group/puppet-users?hl=en.
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- "Brian Lam" <brianclam@gmail.com> a écrit :

| I apologized ahead of time if this post shouldn''t go here but I
| having
| been knocking my heading for the last two days trying to get over the
| following error while trying to "clone" my primary puppetmasterd
| because we have outgrown one puppetmasterd setup.
| 
| I have basically set up a 2nd instance of our primary puppetmasterd
| and rsync''ed over /var/lib/puppet/ssl/ from the primary to the
| secondary puppetmasterd.  The client ran to completion (and recorded
| the log in /var/lib/puppet/report/) but the file copying statement
| were failing:
| (see log below)

Ohad has the right answer : using the certname directive is the solution. If
there are french readers around here you can get the latest "GNU/Linux
Magazine" with an article I wrote about this kind of setup (multi masters
with a nginx in front of the clients).

Regards,

Nico.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I would have thought that, instead of rsyncing the new machine, you''d
have
used Puppet to deploy it as a Puppet master.  I''m curious as to why you
went
this route?

On Thu, Apr 22, 2010 at 12:22 AM, Nicolas Szalay
<nszalay@qualigaz.com>wrote:
> ----- "Brian Lam" <brianclam@gmail.com> a écrit :
>
> | I apologized ahead of time if this post shouldn''t go here but I
> | having
> | been knocking my heading for the last two days trying to get over the
> | following error while trying to "clone" my primary
puppetmasterd
> | because we have outgrown one puppetmasterd setup.
> |
> | I have basically set up a 2nd instance of our primary puppetmasterd
> | and rsync''ed over /var/lib/puppet/ssl/ from the primary to the
> | secondary puppetmasterd.  The client ran to completion (and recorded
> | the log in /var/lib/puppet/report/) but the file copying statement
> | were failing:
> | (see log below)
>
> Ohad has the right answer : using the certname directive is the solution.
> If there are french readers around here you can get the latest
"GNU/Linux
> Magazine" with an article I wrote about this kind of setup (multi
masters
> with a nginx in front of the clients).
>
> Regards,
>
> Nico.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
>
puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com>
> .
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.