Unknown
2010-Jul-23 20:47 UTC
[Puppet Users] Simple setup, separate client and server -- same error
Ran through about the same scenario as before, modified for client and
server being on separate systems. Got the same error. Here are the
details and some things I thought might be relevant info at the end.
On server Uninstall puppet. Remove /etc/puppet and /var/lib/puppet.
Clean up old puppet install and config on lnx03 (server)
[ddb@prc-mn-lnx03 ~]$ sudo yum erase puppet
Removed:
puppet.noarch 0:0.25.5-1.el5
Dependency Removed:
puppet-server.noarch 0:0.25.5-1.el5
[ddb@prc-mn-lnx03 ~]$ sudo rm -rf /etc/puppet/ /var/lib/puppet/
Clean up old puppet install and config on lnx01 (client)
[root@prc-mn-lnx01 ~]# yum erase puppet
Package(s) puppet available, but not installed.
No Packages marked for removal
[root@prc-mn-lnx01 ~]# rm -rf /etc/puppet/ /var/lib/puppet/
Install puppet packages on lnx03
sudo yum install puppet-server
Installed:
puppet-server.noarch 0:0.25.5-1.el5
Dependency Installed:
puppet.noarch 0:0.25.5-1.el5
Edit /etc/puppet/puppet.conf to specify non-default server.
In [main] put
[main]
# The Puppet log directory.
# The default value is ''$vardir/log''.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is ''$vardir/run''.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $vardir/ssl
# The server isn''t the default dns name "puppet".
server = "prc-mn-lnx03.pinerivercapital.local"
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is ''$confdir/classes.txt''.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is ''$confdir/localconfig''.
localconfig = $vardir/localconfig
Put some minimal config into the default manifest /etc/puppet/site.pp
# Create "/tmp/testfile" if it doesn''t exist.
class test_class {
file { "/tmp/testfile":
ensure => present,
mode => 644,
owner => root,
group => root
}
}
# tell puppet on which client to run the class
node prc-mn-lnx01 {
include test_class
}
Verify hostname
sh-3.2$ hostname
prc-mn-lnx03.pinerivercapital.local
Start puppetmaster service.
Verify certificate for right system created.
sh-3.2$ sudo puppetca --all --list
+ prc-mn-lnx03.pinerivercapital.local
Verify server view of certificates.
sh-3.2$ sudo /usr/sbin/puppetmasterd --genconf | grep certname
# The default value is ''$privatekeydir/$certname.pem''.
# certname = prc-mn-lnx03.pinerivercapital.local
# The default value is ''$ssldir/csr_$certname.pem''.
# The default value is ''$publickeydir/$certname.pem''.
# The default value is ''$certdir/$certname.pem''.
Set up client software on lnx01
[root@prc-mn-lnx01 ~]# yum install puppet
Installed:
puppet.noarch 0:0.25.5-1.el5
Set up config on lnx01 (add server)
[main]
# The Puppet log directory.
# The default value is ''$vardir/log''.
logdir = /var/log/puppet
# Where Puppet PID files are kept.
# The default value is ''$vardir/run''.
rundir = /var/run/puppet
# Where SSL certificates are kept.
# The default value is ''$confdir/ssl''.
ssldir = $vardir/ssl
# The server isn''t the default dns name "puppet".
server = "prc-mn-lnx03.pinerivercapital.local"
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is ''$confdir/classes.txt''.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is ''$confdir/localconfig''.
localconfig = $vardir/localconfig
Run puppetd manually in test mode. Client creates request.
[root@prc-mn-lnx01 ~]# puppetd --server prc-mn-lnx03 --test --
waitforcert 60
info: Creating a new SSL key for prc-mn-
lnx01.pinerivercapital.local
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for prc-mn-
lnx01.pinerivercapital.local
On server, find and sign request
[ddb@prc-mn-lnx03 ~]$ sudo puppetca --list
prc-mn-lnx01.pinerivercapital.local
[ddb@prc-mn-lnx03 ~]$ sudo puppetca --sign prc-mn-
lnx01.pinerivercapital.local
prc-mn-lnx01.pinerivercapital.local
notice: Signed certificate request for prc-mn-
lnx01.pinerivercapital.local
notice: Removing file Puppet::SSL::CertificateRequest prc-mn-
lnx01.pinerivercapital.local at ''/var/lib/puppet/ssl/ca/requests/prc-
mn-lnx01.pinerivercapital.local.pem''
Further client output:
info: Caching certificate for prc-mn-lnx01.pinerivercapital.local
err: Could not retrieve catalog from remote server: hostname not
match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
So this is the same error I got trying to run client and server on the
same system. Furthermore, I definitely started both systems with NO
cached certificates or anything (manually deleting /var/lib/puppet
before reinstalling the packages).
Something really basic is wrong here!
From the server, the cert directory:
[ddb@prc-mn-lnx03 ~]$ ls -l /var/lib/puppet/ssl/certs
total 16
-rw-r--r-- 1 puppet root 765 Jul 23 15:16 ca.pem
-rw-r--r-- 1 puppet root 985 Jul 23 15:16 prc-mn-
lnx03.pinerivercapital.local.pem
From the client, the cert directory:
[root@prc-mn-lnx01 ~]# ls -l /var/lib/puppet/ssl/certs
total 16
-rw-r--r-- 1 puppet root 765 Jul 23 15:36 ca.pem
-rw-r----- 1 puppet root 867 Jul 23 15:37 prc-mn-
lnx01.pinerivercapital.local.pem
In case it''s relevant, here''s the server''s
/etc/puppet/auth.conf as it
is (came from the Centos package, not changed) (most comments deleted
for space):
# allow nodes to retrieve their own catalog (ie their
configuration)
path ~ ^/catalog/([^/]+)$
method find
allow $1
# allow all nodes to access the certificates services
path /certificate_revocation_list/ca
method find
allow *
# allow all nodes to store their reports
path /report
method save
allow *
# inconditionnally allow access to all files services
# which means in practice that fileserver.conf will
# still be used
path /file
allow *
### Unauthenticated ACL, for clients for which the current master
doesn''t
### have a valid certificate
# allow access to the master CA
path /certificate/ca
auth no
method find
allow *
path /certificate/
auth no
method find
allow *
path /certificate_request
auth no
method find, save
allow *
# this one is not stricly necessary, but it has the merit
# to show the default policy which is deny everything else
path /
auth any
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.