I have several servers being hosted on Amazon Web Services. They have all been build from the same manifest so apart from the hostnames, IP, etc they are all identical. All but 3 of the boxes can connect to the puppetmaster. When kicked from the puppetmaster two give: Host host.example.com failed: Connection refused - connect(2) one gives: Host host.example.com failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed All then give an exit code of 2 I have deleted /etc/puppet/ssl on the node and revoked the certs on the puppet master (puppetca -c host.example.com) with the same results on all 3 boxes. I know it is not my laptop''s fault but I am about to throw it out the window... Please save the poor thing and give me a hint as to what else I can do... Thanks, John -- John Kennedy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 1, 2011, at 8:05 AM, John Kennedy wrote:> I have several servers being hosted on Amazon Web Services. They have all been build from the same manifest so apart from the hostnames, IP, etc they are all identical. > > All but 3 of the boxes can connect to the puppetmaster. When kicked from the puppetmaster two give: > Host host.example.com failed: Connection refused - connect(2) > > one gives: > > Host host.example.com failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed > > All then give an exit code of 2 > > I have deleted /etc/puppet/ssl on the node and revoked the certs on the puppet master (puppetca -c host.example.com) with the same results on all 3 boxes. > > I know it is not my laptop''s fault but I am about to throw it out the window... > > Please save the poor thing and give me a hint as to what else I can do... > > Thanks,What version of puppet is running on the clients? What version on the server? Did you forget "listen=true" on the ones that say "connection refused"? Is "host.example.com" the master or the client you''re kicking? On the client and the server, try this command: md5sum /var/lib/puppet/ssl/ca/ca_crt.pem On the server try this command: md5sum /var/lib/puppet/ssl/certs/ca.pem Do all 3 certs match? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Replies inline On Wed, Jun 1, 2011 at 17:55, Patrick <kc7zzv@gmail.com> wrote:> > On Jun 1, 2011, at 8:05 AM, John Kennedy wrote: > > I have several servers being hosted on Amazon Web Services. They have all > been build from the same manifest so apart from the hostnames, IP, etc they > are all identical. > > All but 3 of the boxes can connect to the puppetmaster. When kicked from > the puppetmaster two give: > Host host.example.com failed: Connection refused - connect(2) > > one gives: > > Host host.example.com failed: SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed > > All then give an exit code of 2 > > I have deleted /etc/puppet/ssl on the node and revoked the certs on the > puppet master (puppetca -c host.example.com) with the same results on all > 3 boxes. > > I know it is not my laptop''s fault but I am about to throw it out the > window... > > Please save the poor thing and give me a hint as to what else I can do... > > Thanks, > > > What version of puppet is running on the clients? What version on the > server? > > Client is 2.6.7Server is 2.6.4> > > Did you forget "listen=true" on the ones that say "connection refused"? > > No They are all the same...> > > Is "host.example.com" the master or the client you''re kicking? > > host.example.com is the client I am trying to kick> > > On the client and the server, try this command: > md5sum /var/lib/puppet/ssl/ca/ca_crt.pem > > On the server try this command: > md5sum /var/lib/puppet/ssl/certs/ca.pem > > Do all 3 certs match? >None of the files exist. (our puppet config files are in /etc)> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- John Kennedy -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jun 2, 2011 at 9:32 AM, John Kennedy <skebi69@gmail.com> wrote:> >> What version of puppet is running on the clients? What version on the >> server? >> >> Client is 2.6.7 > Server is 2.6.4 >Although this may work, the only supported configuration is to have the server the same version as the clients or newer. I have no actual evidence this is your problem though. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Jun 2, 2011, at 9:32 AM, John Kennedy wrote:> Replies inline > > On Wed, Jun 1, 2011 at 17:55, Patrick <kc7zzv@gmail.com> wrote: > > On Jun 1, 2011, at 8:05 AM, John Kennedy wrote: > >> I have several servers being hosted on Amazon Web Services. They have all been build from the same manifest so apart from the hostnames, IP, etc they are all identical. >> >> All but 3 of the boxes can connect to the puppetmaster. When kicked from the puppetmaster two give: >> Host host.example.com failed: Connection refused - connect(2) >> >> one gives: >> >> Host host.example.com failed: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed >> >> All then give an exit code of 2 >> >> I have deleted /etc/puppet/ssl on the node and revoked the certs on the puppet master (puppetca -c host.example.com) with the same results on all 3 boxes. >> >> I know it is not my laptop''s fault but I am about to throw it out the window... >> >> Please save the poor thing and give me a hint as to what else I can do... >> >> Thanks, > > What version of puppet is running on the clients? What version on the server? > > Client is 2.6.7 > Server is 2.6.4 > > > Did you forget "listen=true" on the ones that say "connection refused"? > > No They are all the same... > > > Is "host.example.com" the master or the client you''re kicking? > > host.example.com is the client I am trying to kick > > > On the client and the server, try this command: > md5sum /var/lib/puppet/ssl/ca/ca_crt.pem > > On the server try this command: > md5sum /var/lib/puppet/ssl/certs/ca.pem > > Do all 3 certs match? > None of the files exist. (our puppet config files are in /etc)Hmm. I''d guess puppet''s storing the ssl config in a different location from where puppet stores them on my system. To get the of those files for you run as root: puppetd --genconfig | grep ''localcacert = '' " on the client to find the client''s ssl cert location. CA''s cert path (run as root): puppet master --genconfig | grep '' cacert = '' Then check if the md5sums of those files match between the server and the client that gives the SSL Verify error. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.