Roberto Bouza
2011-Feb-22 19:53 UTC
[Puppet Users] When running puppetd the cert goes straight up to revoked?
This is the first time is happening... and It happens consecutively with all the hosts. Fresh kickstarted host (never set up before the name so its not on the revocation list), I just run puppetd -tv (we have autosign on), I just get the output below: [root@server182 puppet]# puppetd -tv info: Creating a new SSL key for server182.domain.com warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for server182.domain.com info: Certificate Request fingerprint (md5): 7A: 41:F8:1E:E4:46:21:95:BC:95:D1:D6:C8:1D:88:9F warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Caching certificate for server182.domain.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate'': sslv3 alert certificate revoked err: /File[/var/lib/puppet/lib]: Could not evaluate: sslv3 alert certificate revoked Could not retrieve file metadata for puppet://puppet/plugins: sslv3 alert certificate revoked info: Creating state file /var/lib/puppet/state/state.yaml err: Could not retrieve catalog from remote server: sslv3 alert certificate revoked warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run On the server I get: server182.domain.com (81:41:53:FC:9F:27:EE:46:20:E9:C6:98:59:DF:0A:06) (certificate revoked) Something to notice is that the server gets it''s IP from the DHCP server, then when puppetized the IP gets changed to the one published on DNS. But the DNS entry is already there so I don''t know if the puppetmaster check the IP based on the name and since it''s different it has this behavior. Any help will be appreciated. Thx. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Feb-22 20:27 UTC
Re: [Puppet Users] When running puppetd the cert goes straight up to revoked?
Hi, Not sure on this but it looks like puppet is having issues reading> /var/lib/puppet/libOther things with SSL issues is to make sure your clocks are up to date, that you''re using the right cert name if needed and DNS working correctly. Hope it helps. Den On 23/02/2011, at 6:53, Roberto Bouza <bouzafr@gmail.com> wrote:> This is the first time is happening... and It happens consecutively > with all the hosts. > > Fresh kickstarted host (never set up before the name so its not on the > revocation list), I just run puppetd -tv (we have autosign on), I just > get the output below: > > [root@server182 puppet]# puppetd -tv > info: Creating a new SSL key for server182.domain.com > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL certificate request for server182.domain.com > info: Certificate Request fingerprint (md5): 7A: > 41:F8:1E:E4:46:21:95:BC:95:D1:D6:C8:1D:88:9F > warning: peer certificate won''t be verified in this SSL session > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for server182.domain.com > info: Retrieving plugin > err: /File[/var/lib/puppet/lib]: Failed to generate additional > resources using ''eval_generate'': sslv3 alert certificate revoked > err: /File[/var/lib/puppet/lib]: Could not evaluate: sslv3 alert > certificate revoked Could not retrieve file metadata for puppet://puppet/plugins: > sslv3 alert certificate revoked > info: Creating state file /var/lib/puppet/state/state.yaml > err: Could not retrieve catalog from remote server: sslv3 alert > certificate revoked > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > > On the server I get: > > server182.domain.com (81:41:53:FC:9F:27:EE:46:20:E9:C6:98:59:DF:0A:06) > (certificate revoked) > > Something to notice is that the server gets it''s IP from the DHCP > server, then when puppetized the IP gets changed to the one published > on DNS. But the DNS entry is already there so I don''t know if the > puppetmaster check the IP based on the name and since it''s different > it has this behavior. > > Any help will be appreciated. > > Thx. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Roberto Bouza
2011-Feb-22 21:40 UTC
[Puppet Users] Re: When running puppetd the cert goes straight up to revoked?
I''ve removed /var/lib/puppet and /etc/puppet/ssl multiple times (removing the cert from the puppetmaster as well) with no luck. The times are in sync... Is really strange. On Feb 22, 12:27 pm, Denmat <tu2bg...@gmail.com> wrote:> Hi, > Not sure on this but it looks like puppet is having issues reading> /var/lib/puppet/lib > > Other things with SSL issues is to make sure your clocks are up to date, that you''re using the right cert name if needed and DNS working correctly. > > Hope it helps. > > Den > > On 23/02/2011, at 6:53, Roberto Bouza <bouz...@gmail.com> wrote: > > > > > This is the first time is happening... and It happens consecutively > > with all the hosts. > > > Fresh kickstarted host (never set up before the name so its not on the > > revocation list), I just run puppetd -tv (we have autosign on), I just > > get the output below: > > > [root@server182 puppet]# puppetd -tv > > info: Creating a new SSL key for server182.domain.com > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for ca > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > info: Creating a new SSL certificate request for server182.domain.com > > info: Certificate Request fingerprint (md5): 7A: > > 41:F8:1E:E4:46:21:95:BC:95:D1:D6:C8:1D:88:9F > > warning: peer certificate won''t be verified in this SSL session > > warning: peer certificate won''t be verified in this SSL session > > info: Caching certificate for server182.domain.com > > info: Retrieving plugin > > err: /File[/var/lib/puppet/lib]: Failed to generate additional > > resources using ''eval_generate'': sslv3 alert certificate revoked > > err: /File[/var/lib/puppet/lib]: Could not evaluate: sslv3 alert > > certificate revoked Could not retrieve file metadata for puppet://puppet/plugins: > > sslv3 alert certificate revoked > > info: Creating state file /var/lib/puppet/state/state.yaml > > err: Could not retrieve catalog from remote server: sslv3 alert > > certificate revoked > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > > On the server I get: > > > server182.domain.com (81:41:53:FC:9F:27:EE:46:20:E9:C6:98:59:DF:0A:06) > > (certificate revoked) > > > Something to notice is that the server gets it''s IP from the DHCP > > server, then when puppetized the IP gets changed to the one published > > on DNS. But the DNS entry is already there so I don''t know if the > > puppetmaster check the IP based on the name and since it''s different > > it has this behavior. > > > Any help will be appreciated. > > > Thx. > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2011-Feb-22 22:01 UTC
Re: [Puppet Users] Re: When running puppetd the cert goes straight up to revoked?
Are client and master at same version? What version are you using? On 23/02/2011, at 8:40, Roberto Bouza <bouzafr@gmail.com> wrote:> I''ve removed /var/lib/puppet and /etc/puppet/ssl multiple times > (removing the cert from the puppetmaster as well) with no luck. > > The times are in sync... > > Is really strange. > > On Feb 22, 12:27 pm, Denmat <tu2bg...@gmail.com> wrote: >> Hi, >> Not sure on this but it looks like puppet is having issues reading> /var/lib/puppet/lib >> >> Other things with SSL issues is to make sure your clocks are up to date, that you''re using the right cert name if needed and DNS working correctly. >> >> Hope it helps. >> >> Den >> >> On 23/02/2011, at 6:53, Roberto Bouza <bouz...@gmail.com> wrote: >> >> >> >>> This is the first time is happening... and It happens consecutively >>> with all the hosts. >> >>> Fresh kickstarted host (never set up before the name so its not on the >>> revocation list), I just run puppetd -tv (we have autosign on), I just >>> get the output below: >> >>> [root@server182 puppet]# puppetd -tv >>> info: Creating a new SSL key for server182.domain.com >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for ca >>> warning: peer certificate won''t be verified in this SSL session >>> warning: peer certificate won''t be verified in this SSL session >>> info: Creating a new SSL certificate request for server182.domain.com >>> info: Certificate Request fingerprint (md5): 7A: >>> 41:F8:1E:E4:46:21:95:BC:95:D1:D6:C8:1D:88:9F >>> warning: peer certificate won''t be verified in this SSL session >>> warning: peer certificate won''t be verified in this SSL session >>> info: Caching certificate for server182.domain.com >>> info: Retrieving plugin >>> err: /File[/var/lib/puppet/lib]: Failed to generate additional >>> resources using ''eval_generate'': sslv3 alert certificate revoked >>> err: /File[/var/lib/puppet/lib]: Could not evaluate: sslv3 alert >>> certificate revoked Could not retrieve file metadata for puppet://puppet/plugins: >>> sslv3 alert certificate revoked >>> info: Creating state file /var/lib/puppet/state/state.yaml >>> err: Could not retrieve catalog from remote server: sslv3 alert >>> certificate revoked >>> warning: Not using cache on failed catalog >>> err: Could not retrieve catalog; skipping run >> >>> On the server I get: >> >>> server182.domain.com (81:41:53:FC:9F:27:EE:46:20:E9:C6:98:59:DF:0A:06) >>> (certificate revoked) >> >>> Something to notice is that the server gets it''s IP from the DHCP >>> server, then when puppetized the IP gets changed to the one published >>> on DNS. But the DNS entry is already there so I don''t know if the >>> puppetmaster check the IP based on the name and since it''s different >>> it has this behavior. >> >>> Any help will be appreciated. >> >>> Thx. >> >>> -- >>> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >>> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Roberto Bouza
2011-Feb-22 23:01 UTC
[Puppet Users] Re: When running puppetd the cert goes straight up to revoked?
Yep Same version 2.6.4 It looks like the client crl.pem was causing this somehow. I just emptied the file and it looks like its working fine. Thx On Feb 22, 2:01 pm, Denmat <tu2bg...@gmail.com> wrote:> Are client and master at same version? What version are you using? > > On 23/02/2011, at 8:40, Roberto Bouza <bouz...@gmail.com> wrote: > > > > > I''ve removed /var/lib/puppet and /etc/puppet/ssl multiple times > > (removing the cert from the puppetmaster as well) with no luck. > > > The times are in sync... > > > Is really strange. > > > On Feb 22, 12:27 pm, Denmat <tu2bg...@gmail.com> wrote: > >> Hi, > >> Not sure on this but it looks like puppet is having issues reading> /var/lib/puppet/lib > > >> Other things with SSL issues is to make sure your clocks are up to date, that you''re using the right cert name if needed and DNS working correctly. > > >> Hope it helps. > > >> Den > > >> On 23/02/2011, at 6:53, Roberto Bouza <bouz...@gmail.com> wrote: > > >>> This is the first time is happening... and It happens consecutively > >>> with all the hosts. > > >>> Fresh kickstarted host (never set up before the name so its not on the > >>> revocation list), I just run puppetd -tv (we have autosign on), I just > >>> get the output below: > > >>> [root@server182 puppet]# puppetd -tv > >>> info: Creating a new SSL key for server182.domain.com > >>> warning: peer certificate won''t be verified in this SSL session > >>> info: Caching certificate for ca > >>> warning: peer certificate won''t be verified in this SSL session > >>> warning: peer certificate won''t be verified in this SSL session > >>> info: Creating a new SSL certificate request for server182.domain.com > >>> info: Certificate Request fingerprint (md5): 7A: > >>> 41:F8:1E:E4:46:21:95:BC:95:D1:D6:C8:1D:88:9F > >>> warning: peer certificate won''t be verified in this SSL session > >>> warning: peer certificate won''t be verified in this SSL session > >>> info: Caching certificate for server182.domain.com > >>> info: Retrieving plugin > >>> err: /File[/var/lib/puppet/lib]: Failed to generate additional > >>> resources using ''eval_generate'': sslv3 alert certificate revoked > >>> err: /File[/var/lib/puppet/lib]: Could not evaluate: sslv3 alert > >>> certificate revoked Could not retrieve file metadata for puppet://puppet/plugins: > >>> sslv3 alert certificate revoked > >>> info: Creating state file /var/lib/puppet/state/state.yaml > >>> err: Could not retrieve catalog from remote server: sslv3 alert > >>> certificate revoked > >>> warning: Not using cache on failed catalog > >>> err: Could not retrieve catalog; skipping run > > >>> On the server I get: > > >>> server182.domain.com (81:41:53:FC:9F:27:EE:46:20:E9:C6:98:59:DF:0A:06) > >>> (certificate revoked) > > >>> Something to notice is that the server gets it''s IP from the DHCP > >>> server, then when puppetized the IP gets changed to the one published > >>> on DNS. But the DNS entry is already there so I don''t know if the > >>> puppetmaster check the IP based on the name and since it''s different > >>> it has this behavior. > > >>> Any help will be appreciated. > > >>> Thx. > > >>> -- > >>> You received this message because you are subscribed to the Google Groups "Puppet Users" group. > >>> To post to this group, send email to puppet-users@googlegroups.com. > >>> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > >>> For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Possibly Parallel Threads
- revoked host can't be re-added?
- err: Signing certificate error: Could not render to pson: getaddrinfo: Name or service not known
- Issue retrieving new certificate on host after original certificate was revoked
- Puppetmaster revokes just signed certificates
- Random error in the recovery catalog