Khoury Brazil
2011-Aug-22 00:30 UTC
[Puppet Users] Puppet on OS X run using launchd generating a new certificate request for ''localhost'' instead of the actual hostname
Hi Everyone, I have a weird issue where the puppet client running under launchd generates a new certificate request for ''localhost'' which I thought was pretty odd (with the side effect of it failing to run and report). Running puppetd manually never generates this behavior. Details: Client: puppetd version: 2.6.7 OS X version: 10.6.8 Contents of the hosts file: ## # Host Database # # localhost is used to configure the loopback interface # when the system is booting. Do not change this entry. ## 127.0.0.1 localhost 255.255.255.255 broadcasthost ::1 localhost fe80::1%lo0 localhost Puppet appears to be running correctly (at least it jives with the launchd instructions): root 52 0.3 1.0 2480284 43212 ?? Ss 1:37PM 0:46.66 /usr/bin/ruby /usr/sbin/puppetd --verbose --no-daemonize --logdest console Notes: Added to launchd using the details here: http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_With_Launchd The output of the hostname using the ''hostname'' command is correct. Possibly relevant: Client does not have a DNS entry that matches its hostname (our desktop environment is not allowed to use dynamic DNS so it uses a mangled system where DNS updates are taken care of by the DHCP process after it gets the hostname from the client when it requests a DHCP lease (and it can take several hours to update). I don''t know why, I hate it, it''s not going to change and sometimes it results in a mismatched DNS entry and hostname) Console output (redundant logs removed): 8/21/11 1:38:03 PM com.reductivelabs.puppet[52] [0;32minfo: Creating a new SSL key for localhost [0m 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] warning: peer certificate won''t be verified in this SSL session 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] [0;32minfo: Creating a new SSL certificate request for localhost [0m 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] [0;32minfo: Certificate Request fingerprint (md5): <redacted> [0m 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] warning: peer certificate won''t be verified in this SSL session 8/21/11 1:40:05 PM com.reductivelabs.puppet[52] [0;36mnotice: Did not receive certificate [0m Puppet Master: puppetmasterd version: 2.7.1 puppetca output: user@puppetmasterserver:~$ sudo puppetca --list localhost Thanks for any insight you may have. This one has me kind of stumped. Thanks, Khoury -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Khoury
2011-Aug-22 02:53 UTC
[Puppet Users] Re: Puppet on OS X run using launchd generating a new certificate request for ''localhost'' instead of the actual hostname
On Aug 21, 5:30 pm, Khoury Brazil <khoury.bra...@gmail.com> wrote:> Hi Everyone, > > I have a weird issue where the puppet client running under launchd > generates a new certificate request for ''localhost'' which I thought > was pretty odd (with the side effect of it failing to run and report). > Running puppetd manually never generates this behavior. > > Details: > > Client: > puppetd version: 2.6.7 > OS X version: 10.6.8 > Contents of the hosts file: > ## > # Host Database > # > # localhost is used to configure the loopback interface > # when the system is booting. Do not change this entry. > ## > 127.0.0.1 localhost > 255.255.255.255 broadcasthost > ::1 localhost > fe80::1%lo0 localhost > > Puppet appears to be running correctly (at least it jives with the > launchd instructions): > root 52 0.3 1.0 2480284 43212 ?? Ss 1:37PM 0:46.66 > /usr/bin/ruby /usr/sbin/puppetd --verbose --no-daemonize --logdest > console > Notes: > Added to launchd using the details here:http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_With_Launchd > The output of the hostname using the ''hostname'' command is correct. > Possibly relevant: Client does not have a DNS entry that matches its > hostname (our desktop environment is not allowed to use dynamic DNS so > it uses a mangled system where DNS updates are taken care of by the > DHCP process after it gets the hostname from the client when it > requests a DHCP lease (and it can take several hours to update). I > don''t know why, I hate it, it''s not going to change and sometimes it > results in a mismatched DNS entry and hostname) > > Console output (redundant logs removed): > 8/21/11 1:38:03 PM com.reductivelabs.puppet[52] [0;32minfo: Creating > a new SSL key for localhost [0m > > 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] warning: peer > certificate won''t be verified in this SSL session > > 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] [0;32minfo: Creating > a new SSL certificate request for localhost [0m > > 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] [0;32minfo: > Certificate Request fingerprint (md5): <redacted> [0m > > 8/21/11 1:38:04 PM com.reductivelabs.puppet[52] warning: peer > certificate won''t be verified in this SSL session > > 8/21/11 1:40:05 PM com.reductivelabs.puppet[52] [0;36mnotice: Did not > receive certificate [0m > > Puppet Master: > puppetmasterd version: 2.7.1 > > puppetca output: > user@puppetmasterserver:~$ sudo puppetca --list > localhost > > Thanks for any insight you may have. This one has me kind of stumped. > > Thanks, > KhouryAdding the entry "127.0.0.1 <non-fqdn-hostname>" solved the problem. I suppose that means dns/reverse dns is one of the ways that puppet determines what the node name is (although in my case it appears to be inconsistently applied). I''m just going to make sure the entry is in each host file using puppet. A bit annoying but manageable. It would be nice if there were an option under [agent] to set how it determined the node name though. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2011-Aug-22 05:15 UTC
Re: [Puppet Users] Re: Puppet on OS X run using launchd generating a new certificate request for ''localhost'' instead of the actual hostname
On Sun, Aug 21, 2011 at 7:53 PM, Khoury <khoury.brazil@gmail.com> wrote:> Adding the entry "127.0.0.1 <non-fqdn-hostname>" solved the > problem. I suppose that means dns/reverse dns is one of the ways that > puppet determines what the node name is (although in my case it > appears to be inconsistently applied). I''m just going to make sure the > entry is in each host file using puppet. A bit annoying but > manageable. It would be nice if there were an option under [agent] to > set how it determined the node name though.Try setting the option certname in the options or add it to puppet.conf [agent] or [puppetd] section (dependent on your version). Thanks, Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Khoury Brazil
2011-Aug-22 06:58 UTC
Re: [Puppet Users] Re: Puppet on OS X run using launchd generating a new certificate request for ''localhost'' instead of the actual hostname
On Sun, Aug 21, 2011 at 10:15 PM, Nan Liu <nan@puppetlabs.com> wrote:> > On Sun, Aug 21, 2011 at 7:53 PM, Khoury <khoury.brazil@gmail.com> wrote: > > Adding the entry "127.0.0.1 <non-fqdn-hostname>" solved the > > problem. I suppose that means dns/reverse dns is one of the ways that > > puppet determines what the node name is (although in my case it > > appears to be inconsistently applied). I''m just going to make sure the > > entry is in each host file using puppet. A bit annoying but > > manageable. It would be nice if there were an option under [agent] to > > set how it determined the node name though. > > Try setting the option certname in the options or add it to > puppet.conf [agent] or [puppetd] section (dependent on your version). > > Thanks, > > Nan > > --It actually randomly happened again even with that entry, but with the puppet config push I had added it to the bottom of the file instead of the top where I had it when it fixed it so I''m going to try this for sure. I''m not sure if the position of it in the file matters, but since it seems so random explicitly calling certname definitely seems like the best option. Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.