Puppet users - Jul 2011 - Odd SSL issue - host not showing with puppet cert --list --all

Hi,

Just wondering if anyone had any similar issues OR idea''s on
troubleshooting the following problem.

I have a client/node registered to the puppet master and it is working
without any issues. On the server I can see it compile the catalog in
the logs. However when I run ''puppet cert --list --all'' it is
not in
the list. Note we use auto signing (/etc/puppet/autosign.conf).

# Client Working
[root@sitvhmnp161105 ~]# puppet agent --test
info: Retrieving plugin
info: Loading facts in systeminfo
info: Loading facts in systeminfo
info: Caching catalog for sitvhmnp161105.mambodev.local
info: Applying configuration version ''1311904488''
notice: Finished catalog run in 1.31 seconds
[root@sitvhmnp161105 ~]#

# Server Logs
[root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/log/messages | tail
-2
Jul 29 16:25:28 sitvhmnp004201 puppet-master[25611]: Compiled catalog
for sitvhmnp161105.mambodev.local in environment production in 0.11
seconds
Jul 29 16:34:47 sitvhmnp004201 puppet-master[25611]: Compiled catalog
for sitvhmnp161105.mambodev.local in environment production in 0.10
seconds

# Certificate List
[root@sitvhmnp004201 ~]# puppet cert list --all | grep -i
sitvhmnp161105
[root@sitvhmnp004201 ~]#

I can see all my other hosts showing when using the puppet cert --list
command.

Regards,
Josh

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Jul 29, 2011 at 2:38 AM, Josh <joshua.m.roberts@gmail.com>
wrote:
> Just wondering if anyone had any similar issues OR idea''s on
> troubleshooting the following problem.
>
> I have a client/node registered to the puppet master and it is working
> without any issues. On the server I can see it compile the catalog in
> the logs. However when I run ''puppet cert --list --all''
it is not in
> the list. Note we use auto signing (/etc/puppet/autosign.conf).
>
> # Client Working
> [root@sitvhmnp161105 ~]# puppet agent --test
> info: Retrieving plugin
> info: Loading facts in systeminfo
> info: Loading facts in systeminfo
> info: Caching catalog for sitvhmnp161105.mambodev.local
> info: Applying configuration version ''1311904488''
> notice: Finished catalog run in 1.31 seconds
> [root@sitvhmnp161105 ~]#
>
> # Server Logs
> [root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/log/messages | tail
> -2
> Jul 29 16:25:28 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> for sitvhmnp161105.mambodev.local in environment production in 0.11
> seconds
> Jul 29 16:34:47 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> for sitvhmnp161105.mambodev.local in environment production in 0.10
> seconds
>
> # Certificate List
> [root@sitvhmnp004201 ~]# puppet cert list --all | grep -i
> sitvhmnp161105
> [root@sitvhmnp004201 ~]#
>
> I can see all my other hosts showing when using the puppet cert --list
> command.
It is possible to have a working cert that doesn''t appear in puppet
cert -la. A few possibilities:
Revoked and cleaned, but certificate CRL not honored.
Signed by another puppet master with the same CA.
Signed by the system, but the cert files were removed.
Since you are running puppet cert, I don''t think it''s an issue
with
puppetca clean not revoking cert (old bug).

Check your puppet master ssl directory and review your inventory.txt
and compare it against the certificate serial number of
sitvhmnp161105. If it''s indeed signed by this puppet master CA, you
should have something matching:

0x0008 2011-07-12T22:20:37GMT 2016-07-10T22:20:37GMT /CN=sitvhmnp161105

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
...
        Subject: CN=sitvhmnp161105

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Hi Nan,

Thanks for that info! We have been rebuilding a set of servers
frequently as part of our testing and using the clean/revoke function.

I can see that inventory.txt does in fact mention sitvhmnp161105
twice.

[root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/lib/puppet/ssl/ca/
inventory.txt
0x00b6 2011-07-20T17:48:59GMT 2016-07-18T17:48:59GMT /
CN=sitvhmnp161105.mambodev.local
0x029d 2011-07-27T04:23:30GMT 2016-07-25T04:23:30GMT /
CN=sitvhmnp161105.mambodev.local

However sitvhmnp161105 does not show like my other hosts in /var/lib/
puppet/ssl/ca/signed/

[root@sitvhmnp004201 ~]# ls /var/lib/puppet/ssl/ca/signed/
sitvhmnp16110*
/var/lib/puppet/ssl/ca/signed/sitvhmnp161101.mambodev.local.pem
/var/lib/puppet/ssl/ca/signed/sitvhmnp161102.mambodev.local.pem
/var/lib/puppet/ssl/ca/signed/sitvhmnp161103.mambodev.local.pem
/var/lib/puppet/ssl/ca/signed/sitvhmnp161104.mambodev.local.pem
/var/lib/puppet/ssl/ca/signed/sitvhmnp161106.mambodev.local.pem

Does this mean my inventory is out of sync with my certificates? What
would be the best way to clean this up?

Cheers,
Josh

On Jul 29, 7:40 pm, Nan Liu <n...@puppetlabs.com>
wrote:
> On Fri, Jul 29, 2011 at 2:38 AM, Josh <joshua.m.robe...@gmail.com>
wrote:
> > Just wondering if anyone had any similar issues OR idea''s on
> > troubleshooting the following problem.
>
> > I have a client/node registered to the puppet master and it is working
> > without any issues. On the server I can see it compile the catalog in
> > the logs. However when I run ''puppet cert --list
--all'' it is not in
> > the list. Note we use auto signing (/etc/puppet/autosign.conf).
>
> > # Client Working
> > [root@sitvhmnp161105 ~]# puppet agent --test
> > info: Retrieving plugin
> > info: Loading facts in systeminfo
> > info: Loading facts in systeminfo
> > info: Caching catalog for sitvhmnp161105.mambodev.local
> > info: Applying configuration version ''1311904488''
> > notice: Finished catalog run in 1.31 seconds
> > [root@sitvhmnp161105 ~]#
>
> > # Server Logs
> > [root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/log/messages | tail
> > -2
> > Jul 29 16:25:28 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> > for sitvhmnp161105.mambodev.local in environment production in 0.11
> > seconds
> > Jul 29 16:34:47 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> > for sitvhmnp161105.mambodev.local in environment production in 0.10
> > seconds
>
> > # Certificate List
> > [root@sitvhmnp004201 ~]# puppet cert list --all | grep -i
> > sitvhmnp161105
> > [root@sitvhmnp004201 ~]#
>
> > I can see all my other hosts showing when using the puppet cert --list
> > command.
>
> It is possible to have a working cert that doesn''t appear in
puppet
> cert -la. A few possibilities:
> Revoked and cleaned, but certificate CRL not honored.
> Signed by another puppet master with the same CA.
> Signed by the system, but the cert files were removed.
> Since you are running puppet cert, I don''t think it''s an
issue with
> puppetca clean not revoking cert (old bug).
>
> Check your puppet master ssl directory and review your inventory.txt
> and compare it against the certificate serial number of
> sitvhmnp161105. If it''s indeed signed by this puppet master CA,
you
> should have something matching:
>
> 0x0008 2011-07-12T22:20:37GMT 2016-07-10T22:20:37GMT /CN=sitvhmnp161105
>
> Certificate:
>     Data:
>         Version: 3 (0x2)
>         Serial Number: 8 (0x8)
> ...
>         Subject: CN=sitvhmnp161105
>
> Thanks,
>
> Nan
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.