Just installed Puppet 2.6.4 on Ubuntu 10.10 I was trying to restart the puppet agent but got the following error and the agent didn''t run: $ sudo puppetd --server server.domain.com --waitforcert 60 --test err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I have the puppet master running on "server.domain.com" How can I fix it and get the agent to run? Thanks, Wesley -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 14/01/11 7:20 AM, Wesley Wu wrote:> Just installed Puppet 2.6.4 on Ubuntu 10.10 > > I was trying to restart the puppet agent but got the following error > and the agent didn''t run: > > $ sudo puppetd --server server.domain.com --waitforcert 60 --test > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > I have the puppet master running on "server.domain.com" > > How can I fix it and get the agent to run? > > Thanks, > Wesley >Wesley, I ran into this one a couple of days ago. Problem that time was that the system in question was a couple of hours behind. Fixing it''s clock resolved the issue for me. Cheers Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thank you Mike. Both my Puppet master and the agent are NTP clients. So they are sync''ed. Is there a way to flush the agent''s certificate and retrieve it from the master again? Thanks, Wesley On Thu, Jan 13, 2011 at 4:46 PM, Michael Knox <michael.knox.au@gmail.com>wrote:> On 14/01/11 7:20 AM, Wesley Wu wrote: > >> Just installed Puppet 2.6.4 on Ubuntu 10.10 >> >> I was trying to restart the puppet agent but got the following error >> and the agent didn''t run: >> >> $ sudo puppetd --server server.domain.com --waitforcert 60 --test >> err: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> >> I have the puppet master running on "server.domain.com" >> >> How can I fix it and get the agent to run? >> >> Thanks, >> Wesley >> >> Wesley, > I ran into this one a couple of days ago. > Problem that time was that the system in question was a couple of hours > behind. Fixing it''s clock resolved the issue for me. > > Cheers > Mike > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 14/01/11 9:49 AM, Wesley Wu wrote:> Thank you Mike. > > Both my Puppet master and the agent are NTP clients. So they are sync''ed. > > Is there a way to flush the agent''s certificate and retrieve it from > the master again? > > Thanks, > Wesley >To remove all your certs on the client ... rm -rf /var/lib/pupept/ssl or /etc/puppet/ssl on the Puppet master (assuming 2.6) puppet cert --clean <fqdn>> > On Thu, Jan 13, 2011 at 4:46 PM, Michael Knox <michael.knox.au > <http://michael.knox.au>@gmail.com <http://gmail.com>> wrote: > > On 14/01/11 7:20 AM, Wesley Wu wrote: > > Just installed Puppet 2.6.4 on Ubuntu 10.10 > > I was trying to restart the puppet agent but got the following > error > and the agent didn''t run: > > $ sudo puppetd --server server.domain.com > <http://server.domain.com> --waitforcert 60 --test > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: > certificate > verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > I have the puppet master running on "server.domain.com > <http://server.domain.com>" > > How can I fix it and get the agent to run? > > Thanks, > Wesley > > Wesley, > I ran into this one a couple of days ago. > Problem that time was that the system in question was a couple of > hours behind. Fixing it''s clock resolved the issue for me. > > Cheers > Mike > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com > <mailto:puppet-users@googlegroups.com>. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com > <mailto:puppet-users%2Bunsubscribe@googlegroups.com>. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google > Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jan 13, 2011 at 12:20 PM, Wesley Wu <wesley.q.wu@gmail.com> wrote:> Just installed Puppet 2.6.4 on Ubuntu 10.10 > > I was trying to restart the puppet agent but got the following error > and the agent didn''t run: > > $ sudo puppetd --server server.domain.com --waitforcert 60 --test > err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > I have the puppet master running on "server.domain.com"Time was already mentioned, so the next thing to check is a hostname mis-match between the client thinks it''s name is (server.domain.com) and what the master thinks it''s hostname is. To check this, please run facter fqdn on the puppet master and let us know your results. The puppet master generates a SSL certificate containing three hostnames. These are: 1: the results of "facter fqdn" 2: puppet.`facter domain` 3: puppet So, on my test machine facter fqdn returns test.puppetlabs.vm and facter domain returns puppetlabs.vm The names in the resulting certificate are test.puppetlabs.vm, puppet.puppetlabs.vm and puppet. If the agent uses any name other than those three, you''ll get a certificate verification error. To fix the problem you could also add additional names to the generated certificate. Blow away the bad SSL certificate and try: puppet master --certdnsnames server:server.domain.com Hope this helps, -- Jeff McCune -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thank you Mike and Jeff. I fixed the problem by following Mike''s suggestion (removed the cert on the client). Cheers, Wesley On Thu, Jan 13, 2011 at 8:49 PM, Jeff McCune <jeff@puppetlabs.com> wrote:> On Thu, Jan 13, 2011 at 12:20 PM, Wesley Wu <wesley.q.wu@gmail.com> wrote: > > Just installed Puppet 2.6.4 on Ubuntu 10.10 > > > > I was trying to restart the puppet agent but got the following error > > and the agent didn''t run: > > > > $ sudo puppetd --server server.domain.com --waitforcert 60 --test > > err: Could not retrieve catalog from remote server: SSL_connect > > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > > verify failed > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > > > I have the puppet master running on "server.domain.com" > > Time was already mentioned, so the next thing to check is a hostname > mis-match between the client thinks it''s name is (server.domain.com) > and what the master thinks it''s hostname is. > > To check this, please run facter fqdn on the puppet master and let us > know your results. > > The puppet master generates a SSL certificate containing three > hostnames. These are: > > 1: the results of "facter fqdn" > 2: puppet.`facter domain` > 3: puppet > > So, on my test machine facter fqdn returns test.puppetlabs.vm and > facter domain returns puppetlabs.vm The names in the resulting > certificate are test.puppetlabs.vm, puppet.puppetlabs.vm and puppet. > > If the agent uses any name other than those three, you''ll get a > certificate verification error. > > To fix the problem you could also add additional names to the > generated certificate. Blow away the bad SSL certificate and try: > > puppet master --certdnsnames server:server.domain.com > > > Hope this helps, > -- > Jeff McCune > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com<puppet-users%2Bunsubscribe@googlegroups.com> > . > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.