Hello! Background; We''re just in the initial stage of setting up a testenv. for checking out puppet. And a working master and client(s) (ver. 2.6.7 is now started on one of our Suse/Linux servers. I''m about to get a working puppet client (on Solaris 10-09) to connect to the above puppet master. I wanted to have it going as fast as possible so I went to http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Solaris From there I was lead to Blastwave and installed it the easiest way I found; # /opt/csw/bin/pkgutil -U # /opt/csw/bin/pkgutil --install puppet Everything installed nicely but to my suprise no working default''s were setup (???), but that has been done now. The version I received was 2.6.6 When I start my pupppet client I get; ................................................................................................................................... ./sbin/puppetd --server puppet-server.lmera.ericsson.se --waitforcert 60 --verbose --test info: Creating a new SSL key for selix063gh.lmera.ericsson.se warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session info: Caching certificate for selix063gh.lmera.ericsson.se err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key err: Could not retrieve catalog from remote server: Retrieved certificate does not match private key; warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run .................................................................................................................................................................. Searching the net suggests removing ''/var/opt/csw/puppet/ssl'' from client and running puppetca --clean <hostname> (hostname in this case is selix063gh.lmera.ericsson.se) When I issue ''puppetca --clean selix063gh.lmera.ericsson.se'' I get a the response; ''Could not find client certificate or request for selix063gh.lmera.ericsson.se'' which isn''t particurlarly suprising, since this is a new client and one would expect that its unknown to puppetmaster. However looking on the puppetserver the client is all but unknown ... Listing /var/lib/puppet/ssl/ca/signed gives at hand; .................................................................................................................................................................. -rw-r----- 1 puppet puppet 1021 Mar 31 15:09 puppet- server.lmera.ericsson.se.pem -rw-r----- 1 puppet puppet 908 Apr 26 12:34 puppetc1.lmera.ericsson.se.pem -rw-r----- 1 puppet puppet 912 Apr 26 12:34 selix063gh.lmera.ericsson.se.pem .................................................................................................................................................................. and /var/lib/puppet/ssl/ca/inventory.txt shows; .................................................................................................................................................................. # Inventory of signed certificates # SERIAL NOT_BEFORE NOT_AFTER SUBJECT 0x0001 2011-03-30T13:09:33GMT 2016-03-28T13:09:33GMT /CN=Puppet CA: puppet-server.lmera.ericsson.se 0x0002 2011-03-30T13:09:33GMT 2016-03-28T13:09:33GMT /CN=puppet- server.lmera.ericsson.se 0x0003 2011-04-20T12:11:44GMT 2016-04-18T12:11:44GMT / CN=puppetc1.lmera.ericsson.se 0x0004 2011-04-25T10:34:09GMT 2016-04-23T10:34:09GMT / CN=selix063gh.lmera.ericsson.se 0x0005 2011-04-25T10:34:09GMT 2016-04-23T10:34:09GMT / CN=puppetc1.lmera.ericsson.se .................................................................................................................................................................. Being a puppet rockie it appears that something is very wrong. Err. msg. says ''remove certificate from server'' and when i try that from puppetmasterd, I''ll get a msg. saying that there is no certificate for the hostname. Removing /var/opt/csw/puppet/ssl from client and running puppetca -- clean <hostname> does not change anything I''ll get the same error message nomatter what I try. Anyone having a way out of this ? Rgds, Mat -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> Searching the net suggests removing ''/var/opt/csw/puppet/ssl'' from > client and running puppetca --clean <hostname> > (hostname in this case is selix063gh.lmera.ericsson.se) > When I issue ''puppetca --clean selix063gh.lmera.ericsson.se'' I get a > the response; > ''Could not find client certificate or request for > selix063gh.lmera.ericsson.se'' > which isn''t particurlarly suprising, since this is a new client and > one would expect that its unknown to puppetmaster. > > However looking on the puppetserver the client is all but unknown ... > Listing /var/lib/puppet/ssl/ca/signed gives at hand; > .................................................................................................................................................................. > -rw-r----- 1 puppet puppet 1021 Mar 31 15:09 puppet- > server.lmera.ericsson.se.pem > -rw-r----- 1 puppet puppet 908 Apr 26 12:34 > puppetc1.lmera.ericsson.se.pem > -rw-r----- 1 puppet puppet 912 Apr 26 12:34 > selix063gh.lmera.ericsson.se.pem > .................................................................................................................................................................. > > Being a puppet rockie it appears that something is very wrong. > Err. msg. says ''remove certificate from server'' and when i try that > from puppetmasterd, I''ll get a msg. saying > that there is no certificate for the hostname. > Removing /var/opt/csw/puppet/ssl from client and running puppetca -- > clean <hostname> does not change anything > I''ll get the same error message nomatter what I try. > > Anyone having a way out of this ?Hi, weird indeed. What does puppetca --list --all give you? The first wooden hammer you can swing is "move the cert away from the master''s ssl dir". Another approach (albeit crooked) would be to try and find the privkey for the cert that somehow made it to your master and use that for the client. I don''t think you''ll find it, though. Have you ever told puppet to sign any cert for that box? Is autosign enabled per chance? HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hello Felix> What does puppetca --list --all give you?It gives me; ---------------------------------------------- puppet@puppet-server:~> puppetca --list --all puppet@puppet-server:~> puppetca --list No certificates to sign puppet@puppet-server:~> ----------------------------------------------> Have you ever told puppet to sign any cert for that box?Yes,by running; "/sbin/puppetd --server puppet-server.lmera.ericsson.se --verbose -- test">Is autosign enabled per chance?Hmmm, it appears so; puppet@puppet-server:~> more /etc/puppet/autosign.conf *.lmera.ericsson.se puppet@puppet-server:~> I believe this is mistake. I will definitly remove that and see what happens.>The first wooden hammer you can swing is"move the cert away from the master''s ssl dir". I''ll try that but I''ll first see the outcome of getting rid of the autosign. I believe that autosign has been put in place by mistake caused by the fact that there is no working default configuration. Thanks Rgds, Mat> The first wooden hammer you can swing is "move the cert away from the > master''s ssl dir". > > Another approach (albeit crooked) would be to try and find the privkey > for the cert that somehow made it to your master and use that for the > client. I don''t think you''ll find it, though. > > Have you ever told puppet to sign any cert for that box? Is autosign > enabled per chance? > > HTH, > Felix-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Sorry>Yes,by running; >"/sbin/puppetd --server puppet-server.lmera.ericsson.se --verbose -- >test"should be # ../sbin/puppetd --server puppet-server.lmera.ericsson.se -- waitforcert 60 --verbose --test -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, Apr 27, 2011 at 9:39 AM, ki_chi_saga <fanell@kth.se> wrote:> Hello Felix > >> What does puppetca --list --all give you? > > It gives me; > ---------------------------------------------- > puppet@puppet-server:~> puppetca --list --allThat is odd since it should provide at least the server cert with a plus sign in front. + puppet-server.lmera.ericsson.se If you run with option --configprint ssldir is it giving the right directory? If you run puppetca --print puppet-server.lmera.ericsson.se does it show you the certificate? what about: puppetca --print selix063gh.lmera.ericsson.se? Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 04/27/2011 06:42 PM, ki_chi_saga wrote:> > Sorry > >> Yes,by running; >> "/sbin/puppetd --server puppet-server.lmera.ericsson.se --verbose -- >> test" > > should be > > # ../sbin/puppetd --server puppet-server.lmera.ericsson.se -- > waitforcert 60 --verbose --test > >Hi, that''s not "signing a certificate", you''re merely requesting a signed cert from your master. Since you had autosigning enabled, your master did indeed sign that happily, it appears. Blasting $vardir/ssl on your client is no good then, because the master keeps that bad certificate, and you have to remove it before you can sign another one. In most circumstances, disabling autosigning is indeed a good idea. About your general problems, please follow up on Nan''s advice. Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hello Felix!> > In most circumstances, disabling autosigning is indeed a good idea.That''s what I''ve read too.> About your general problems,Well, this is the first time I installed a puppet client and I wanted having it going right away an a Solaris system (to an on-site education on puppet). I wanted it installed the *easiest* way possible ... As I wrot in my initial post I went to reductivelabs.com and from there to the OpenCSW archive: /opt/csw/bin/pkgutil -U /opt/csw/bin/pkgutil --install puppet That was it! Everything installed nicely but to my suprise no working default''s were setup (???). And this has caused *a*lot* of confusion for me. Is it so that you *have* to create you first initial configuration yourself? (i.e there is really no DEFAULT configuration) Or is this dependent on *where* & how you install puppet (for example from source)? If someone light me up on this, I would really appreciate this. And now finally ... ==================================================================info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for selix063gh.lmera.ericsson.se info: Certificate Request fingerprint (md5): 77:50:45:46:C3:C1:3B: 08:70:2E:6C:DE:0C:C6:DC:7D warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Caching certificate for selix063gh.lmera.ericsson.se info: Caching certificate_revocation_list for ca info: Caching catalog for selix063gh.lmera.ericsson.se info: Applying configuration version ''1303986887'' info: Creating state file /var/opt/csw/puppet/state/state.yaml notice: Finished catalog run in 0.15 seconds ================================================================== I can hardly believe my eays !!! *********************************************************************** * THANK YOU EVERBODY WHO REPLIED, LEADING ME TO THE RIGHT DIRECTION ! * *********************************************************************** Rgds, Mat -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.