Puppet users - Feb 2011 - Puppetmasterd not receiving certificate request

Hi: I''m trying to configure Puppet on Ubuntu, and strangely I am never
able to generate a certificate because my server never shows any
pending certificate requests.

Put differently, on the server I am running puppetmasterd and on the
client I am able to connect to the server, but the client continues
printing

   notice: Did not receive certificate
   warning: peer certificate won''t be verified in this SSL session

and yet the server never sees the request

   mrisher@lab2$ puppetca --list
   [nothing shows up]
   mrisher@lab2$ puppetca --sign clientname.domain.com
   clientname.domain.com
   err: Could not call sign: Could not find certificate request for
clientname.domain.com

There was a suggestion that autosign was happening, but that does not
seem to be it. There is no autosign.conf file, and when I run
`puppetmasterd --no-daemonize -d -v` I receive the following output:
   info: Could not find certificate for
''clientname.domain.com''
every time the client says
   notice: Did not receive certificate

I checked the certs on the server and there don''t seem to be any:

mrisher@lab2:~$ puppetca --list --all
mrisher@lab2:~$ sudo puppetca --list --all
+ lab2.domain.com          // this is the server (master)
mrisher@lab2:~$ sudo puppetca --list
[blank line]
mrisher@lab2:~$

Note: This is mostly running the default install from Ubuntu, if that
gives any leads.

Thanks for any help out there.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Set the IP of puppet master as hostname "puppet" on /etc/hosts file of
client

That is something like

192.168.2.100 puppet.example.local puppet

On 15 February 2011 07:25, mark risher <mrisher.work@gmail.com> wrote:
> Hi: I''m trying to configure Puppet on Ubuntu, and strangely I am
never
> able to generate a certificate because my server never shows any
> pending certificate requests.
>
> Put differently, on the server I am running puppetmasterd and on the
> client I am able to connect to the server, but the client continues
> printing
>
>   notice: Did not receive certificate
>   warning: peer certificate won''t be verified in this SSL session
>
> and yet the server never sees the request
>
>   mrisher@lab2$ puppetca --list
>   [nothing shows up]
>   mrisher@lab2$ puppetca --sign clientname.domain.com
>   clientname.domain.com
>   err: Could not call sign: Could not find certificate request for
> clientname.domain.com
>
> There was a suggestion that autosign was happening, but that does not
> seem to be it. There is no autosign.conf file, and when I run
> `puppetmasterd --no-daemonize -d -v` I receive the following output:
>   info: Could not find certificate for
''clientname.domain.com''
> every time the client says
>   notice: Did not receive certificate
>
> I checked the certs on the server and there don''t seem to be any:
>
> mrisher@lab2:~$ puppetca --list --all
> mrisher@lab2:~$ sudo puppetca --list --all
> + lab2.domain.com          // this is the server (master)
> mrisher@lab2:~$ sudo puppetca --list
> [blank line]
> mrisher@lab2:~$
>
> Note: This is mostly running the default install from Ubuntu, if that
> gives any leads.
>
> Thanks for any help out there.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
Regards

Basil Kurian

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Then try puppetd --test   on client

On 15 February 2011 09:24, Basil Kurian <basilkurian@gmail.com> wrote:
> Set the IP of puppet master as hostname "puppet" on /etc/hosts
file of
> client
>
> That is something like
>
> 192.168.2.100 puppet.example.local puppet
>
>
> On 15 February 2011 07:25, mark risher <mrisher.work@gmail.com>
wrote:
>
>> Hi: I''m trying to configure Puppet on Ubuntu, and strangely I
am never
>> able to generate a certificate because my server never shows any
>> pending certificate requests.
>>
>> Put differently, on the server I am running puppetmasterd and on the
>> client I am able to connect to the server, but the client continues
>> printing
>>
>>   notice: Did not receive certificate
>>   warning: peer certificate won''t be verified in this SSL
session
>>
>> and yet the server never sees the request
>>
>>   mrisher@lab2$ puppetca --list
>>   [nothing shows up]
>>   mrisher@lab2$ puppetca --sign clientname.domain.com
>>   clientname.domain.com
>>   err: Could not call sign: Could not find certificate request for
>> clientname.domain.com
>>
>> There was a suggestion that autosign was happening, but that does not
>> seem to be it. There is no autosign.conf file, and when I run
>> `puppetmasterd --no-daemonize -d -v` I receive the following output:
>>   info: Could not find certificate for
''clientname.domain.com''
>> every time the client says
>>   notice: Did not receive certificate
>>
>> I checked the certs on the server and there don''t seem to be
any:
>>
>> mrisher@lab2:~$ puppetca --list --all
>> mrisher@lab2:~$ sudo puppetca --list --all
>> + lab2.domain.com          // this is the server (master)
>> mrisher@lab2:~$ sudo puppetca --list
>> [blank line]
>> mrisher@lab2:~$
>>
>> Note: This is mostly running the default install from Ubuntu, if that
>> gives any leads.
>>
>> Thanks for any help out there.
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> To unsubscribe from this group, send email to
>> puppet-users+unsubscribe@googlegroups.com.
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>
>
> --
> Regards
>
> Basil Kurian
>
>
>

-- 
Regards

Basil Kurian

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the suggestion. I set the /etc/host but that doesn''t appear
any different from specifying --server xyz on the command line; my
client definitely seems to reach the server but still no certificate
is issued and the manifest file doesn''t get downloaded:


--- CLIENT
mrisher@events1001:~$ sudo vi /etc/hosts
mrisher@events1001:~$ puppetd --test
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
mrisher@events1001:~$ puppetd --test --waitforcert 60
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate


--- SERVER
mrisher@lab2:~$ puppetca --list

mrisher@lab2:~$ sudo puppetca --list

mrisher@lab2:~$


I feel like I must be missing something really obvious. Is there a way
to telnet directly to the puppetmaster and issue a test that way? When
I telnet to port 8140 it immediately hangs up.

Thank you,
/m

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 14, 2011 at 11:19 PM, mark risher <mrisher@impermium.com>
wrote:
> Thanks for the suggestion. I set the /etc/host but that doesn''t
appear
> any different from specifying --server xyz on the command line; my
> client definitely seems to reach the server but still no certificate
> is issued and the manifest file doesn''t get downloaded:
>
>
> --- CLIENT
> mrisher@events1001:~$ sudo vi /etc/hosts
> mrisher@events1001:~$ puppetd --test
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> Exiting; no certificate found and waitforcert is disabled
> mrisher@events1001:~$ puppetd --test --waitforcert 60
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> notice: Did not receive certificate
>
>
> --- SERVER
> mrisher@lab2:~$ puppetca --list
>
> mrisher@lab2:~$ sudo puppetca --list
>
> mrisher@lab2:~$
It really feels like the puppetca command is using a different ssldir
configuration setting than the puppet master process is.  Could you
check puppetca --configprint ssldir and compare that with the ssldir
setting being used by the puppet master process?

Are you running in Passenger or some other setup?
> I feel like I must be missing something really obvious. Is there a way
> to telnet directly to the puppetmaster and issue a test that way? When
> I telnet to port 8140 it immediately hangs up.
This is because SSL is being used and your client isn''t starting the
handshake.  Unfortunately there''s not an easy way to test things
without getting past the SSL layer, which is what you''re having
trouble with.

Also, try pupeptca --list --all and see what certificates the CA _has_ signed.

Hope this helps,
-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

If this helps, when I run `puppetd -d` I get a bunch of debug log
statements that may be pertinent: http://pastebins.com/index.php?show=567

Thx,
/m

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 14, 2011 at 11:25 PM, mark risher <mrisher@impermium.com>
wrote:
> If this helps, when I run `puppetd -d` I get a bunch of debug log
> statements that may be pertinent: http://pastebins.com/index.php?show=567
As much information as you can provide about how you''re running the
puppet master, what it''s configuration is (--genconfig helps here),
and what puppetca --configprint ssldir says would be more helpful.

-- 
Jeff McCune
http://www.puppetlabs.com/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Thanks for the follow-up. Here is the puppetmasterd --genconf output:
http://pastebins.com/index.php?show=568; I have not made any changes
from the default, Ubuntu package installation, so the actual
puppet.conf file is just the pathnames.

I''ve been running the server using the `/etc/init.d/puppetmasterd
start` command. There is very little log output in the masterhttp.log,
but here''s what I see:

root@lab2:/var/log/puppet# more masterhttp.log
[2011-02-14 22:04:57] INFO  WEBrick 1.3.1
[2011-02-14 22:04:57] INFO  ruby 1.8.7 (2010-01-10) [x86_64-linux]
[2011-02-14 22:04:57] INFO
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 2 (0x2)
        Signature Algorithm: sha1WithRSAEncryption
        Issuer: CN=ca
        Validity
            Not Before: Feb 14 01:20:25 2011 GMT
            Not After : Feb 13 01:20:25 2016 GMT
        Subject: CN=lab2.domain.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:d5:f0:60:01:99:43:a8:d5:ce:0f:67:d1:d0:b2:
                    <snip>
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            Netscape Comment:
                Puppet Ruby/OpenSSL Generated Certificate
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Subject Key Identifier:
                E8:82:E2:46:38:25:B8:1C:9B:89:A7:FC:7D:96:22:12:BE:
23:8E:9C
            X509v3 Key Usage:
                Digital Signature, Key Encipherment
            X509v3 Extended Key Usage:
                TLS Web Server Authentication, TLS Web Client
Authentication, E-mail Protection
            X509v3 Subject Alternative Name:
                DNS:puppet, DNS:lab2.domain.com, DNS:puppet.domain.com
    Signature Algorithm: sha1WithRSAEncryption
        48:f5:6a:9a:c9:8d:69:7e:5a:e6:fa:38:c4:65:a4:5a:26:1e:
        <snip>
[2011-02-14 22:04:57] INFO  WEBrick::HTTPServer#start: pid=20959
port=8140
[2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/
2011:22:05:03 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:03] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/
2011:22:05:03 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:03] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:21] events.edgesentinel.com - - [14/Feb/
2011:22:05:21 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:21] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:50] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:50] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:50] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:56] events.edgesentinel.com - - [14/Feb/
2011:22:05:56 PST] "GET /production/certificate/events1001.domain.com
HTTP/1.1" 404 51
[2011-02-14 22:05:56] - -> /production/certificate/
events1001.domain.com
[2011-02-14 22:05:57] INFO  going to shutdown ...
[2011-02-14 22:05:57] INFO  WEBrick::HTTPServer#start done.
root@lab2:/var/log/puppet#

Thanks again.
/m

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Mon, Feb 14, 2011 at 10:12 PM, mark risher <mrisher@impermium.com>
wrote:
> Thanks for the follow-up. Here is the puppetmasterd --genconf output:
> http://pastebins.com/index.php?show=568; I have not made any changes
> from the default, Ubuntu package installation, so the actual
> puppet.conf file is just the pathnames.
>
> I''ve been running the server using the `/etc/init.d/puppetmasterd
> start` command. There is very little log output in the masterhttp.log,
> but here''s what I see:
Shutdown the service and run puppet master with the following flags to
get debug info:
puppet master --no-daemonize -v
> root@lab2:/var/log/puppet# more masterhttp.log
> [2011-02-14 22:04:57] INFO  WEBrick 1.3.1
> [2011-02-14 22:04:57] INFO  ruby 1.8.7 (2010-01-10) [x86_64-linux]
> [2011-02-14 22:04:57] INFO
> Certificate:
>    Data:
>        Version: 3 (0x2)
>        Serial Number: 2 (0x2)
>        Signature Algorithm: sha1WithRSAEncryption
>        Issuer: CN=ca
>        Validity
>            Not Before: Feb 14 01:20:25 2011 GMT
>            Not After : Feb 13 01:20:25 2016 GMT
>        Subject: CN=lab2.domain.com
>        Subject Public Key Info:
>            Public Key Algorithm: rsaEncryption
>            RSA Public Key: (1024 bit)
>                Modulus (1024 bit):
>                    00:d5:f0:60:01:99:43:a8:d5:ce:0f:67:d1:d0:b2:
>                    <snip>
>                Exponent: 65537 (0x10001)
>        X509v3 extensions:
>            Netscape Comment:
>                Puppet Ruby/OpenSSL Generated Certificate
>            X509v3 Basic Constraints: critical
>                CA:FALSE
>            X509v3 Subject Key Identifier:
>                E8:82:E2:46:38:25:B8:1C:9B:89:A7:FC:7D:96:22:12:BE:
> 23:8E:9C
>            X509v3 Key Usage:
>                Digital Signature, Key Encipherment
>            X509v3 Extended Key Usage:
>                TLS Web Server Authentication, TLS Web Client
> Authentication, E-mail Protection
>            X509v3 Subject Alternative Name:
>                DNS:puppet, DNS:lab2.domain.com, DNS:puppet.domain.com
>    Signature Algorithm: sha1WithRSAEncryption
>        48:f5:6a:9a:c9:8d:69:7e:5a:e6:fa:38:c4:65:a4:5a:26:1e:
>        <snip>
> [2011-02-14 22:04:57] INFO  WEBrick::HTTPServer#start: pid=20959
> port=8140
> [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:03 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:03] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:03] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:03 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:03] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:21] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:21 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:21] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:50] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:50] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:50] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:50 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:50] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:56] events.edgesentinel.com - - [14/Feb/
> 2011:22:05:56 PST] "GET /production/certificate/events1001.domain.com
> HTTP/1.1" 404 51
> [2011-02-14 22:05:56] - -> /production/certificate/
> events1001.domain.com
> [2011-02-14 22:05:57] INFO  going to shutdown ...
> [2011-02-14 22:05:57] INFO  WEBrick::HTTPServer#start done.
> root@lab2:/var/log/puppet#
Seems like the agent is just waiting for a certificate and you don''t
have the CSR on the master. I''m not sure of a way to force the agent
to submit the CSR again. Since I don''t have the exact directory
configuration, rather than asking you to copy the CSR to the server
I''m going to recommend cleaning the agent''s ssl directory so
it will
generate and submit the certificate request again.

With the master in verbose mode you should see the following: (using
demo.example.lan)
info: Could not find certificate for ''demo.example.lan''
info: Could not find certificate_request for
''demo.example.lan''
notice: demo.example.lan has a waiting certificate request
info: Could not find certificate for ''demo.example.lan''
info: Could not find certificate for ''demo.example.lan''

At this point you should have a certificate waiting to be signed.

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

@ Mark
>> Thanks for the suggestion. I set the /etc/host but that
doesn''t appear
/etc/host or /etc/hosts ??

Is that a typo ?


On 15 February 2011 10:49, mark risher <mrisher@impermium.com> wrote:
> Thanks for the suggestion. I set the /etc/host but that doesn''t
appear
> any different from specifying --server xyz on the command line; my
> client definitely seems to reach the server but still no certificate
> is issued and the manifest file doesn''t get downloaded:
>
>
> --- CLIENT
> mrisher@events1001:~$ sudo vi /etc/hosts
> mrisher@events1001:~$ puppetd --test
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> Exiting; no certificate found and waitforcert is disabled
> mrisher@events1001:~$ puppetd --test --waitforcert 60
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> notice: Did not receive certificate
>
>
> --- SERVER
> mrisher@lab2:~$ puppetca --list
>
> mrisher@lab2:~$ sudo puppetca --list
>
> mrisher@lab2:~$
>
>
> I feel like I must be missing something really obvious. Is there a way
> to telnet directly to the puppetmaster and issue a test that way? When
> I telnet to port 8140 it immediately hangs up.
>
> Thank you,
> /m
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
Regards

Basil Kurian

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

sorry, /etc/hosts. It was a typo in my bug report, I used  the correct
filename on the client itself.
The routing issue is not the culprit -- puppetd is clearly able to
reach the puppetmasterd server -- so we''re stuck somewhere inside
either what the client says or what the server responds with.

Still looking... thanks again,
/m

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Nan''s suggestion worked. I thought I''d tried these steps but
maybe not
in the right order.

Thank you, Nan!

Here were the steps:

mrisher@lab2:~$ sudo /etc/init.d//puppetmaster stop
 * Stopping puppet configuration management tool master
server                                                   [ OK ]
mrisher@lab2:~$ sudo puppetmasterd --no-daemonize -v
notice: Starting Puppet server version 0.25.4
err: Removing mount files: /etc/puppet/files does not exist
info: access[^/catalog/([^/]+)$]: allowing ''method'' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing
''method'' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing ''method'' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing ''method'' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing ''method'' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing ''method'' find
info: access[/certificate_request]: allowing ''method'' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Could not find certificate for ''events1001.domain.com''
info: Could not find certificate for ''events1001.domain.com''
info: Could not find certificate_request for
''events1001.domain.com''
notice: events1001.domain.com has a waiting certificate request
info: Could not find certificate for ''events1001.domain.com''
info: Could not find certificate for ''events1001.domain.com''

===========-- on CLIENT
===========mrisher@events1001:~$ rm -rf /home/mrisher/.puppet/
mrisher@events1001:~$ puppetd --server lab2.domain.com --waitforcert 5
--test
info: Creating a new SSL key for events1001.domain.com
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
info: Creating a new SSL certificate request for events1001.domain.com
info: Certificate Request fingerprint (md5): 6C:7D:9B:12:C5:5D:
77:55:0A:D9:AC:8E:9A:E6:51:CA
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate
warning: peer certificate won''t be verified in this SSL session
notice: Did not receive certificate
warning: peer certificate won''t be verified in this SSL session
info: Caching certificate for events1001.domain.com
info: Caching certificate_revocation_list for ca
info: Caching catalog for events1001.domain.com
info: Applying configuration version ''1297801836''
warning: Cannot manage ownership unless running as root
err: //File[/tmp/testfile]/ensure: change from absent to present
failed: failed to chgrp /tmp/testfile to 0: Operation not permitted - /
tmp/testfile
info: Creating state file /home/mrisher/.puppet/var/state/state.yaml
notice: Finished catalog run in 0.01 seconds

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.