So I come in to work monday only to find that none of our puppet clients are working. When I run puppetd -t I get these errors: http://pastebin.com/6iwhG2Y2 I go to the puppet master server and look at /var/log/puppet/ masterhttp.log and see a bunch of these openssl errors: http://pastebin.com/1jgVX4ui I checked and made sure the time and date was the exact same across all the servers and even tried restarting it but to no avail. Is this an issue with webrick or puppetmaster or the puppet clients? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> Is this an issue with webrick or puppetmaster or the puppet clients?Try to resign any of your certs manually? -- Krish OlinData.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have the puppet master set up to auto sign them. I did a puppetca -- clean FQDN and tried to readd it but I get the same issue. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Feb 20, 2012 at 9:50 PM, Digital Ninja <dsw.ninjaboy@gmail.com>wrote:> I have the puppet master set up to auto sign them. I did a puppetca -- > clean FQDN and tried to readd it but I get the same issue. > >If you clean the cert on the server side, then you need to blow away the $ssldir on the client side too. On a test client, run `puppet config print ssldir` to get the path where the ssl information is being stored client-side. Remove that directory and then try running puppet agent -t again to concat the master and generate a csr. The master should auto-sign and you should be good. I would definitely encourage you to look towards using something other than Webrick in this situation. You also mentioned that the time on the master/agents WAS synced? It''s not off by any significant amount?> -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- Gary Larizza Professional Services Engineer Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
*CONTACT and not ''concat'' On Mon, Feb 20, 2012 at 10:01 PM, Gary Larizza <gary@puppetlabs.com> wrote:> > > On Mon, Feb 20, 2012 at 9:50 PM, Digital Ninja <dsw.ninjaboy@gmail.com>wrote: > >> I have the puppet master set up to auto sign them. I did a puppetca -- >> clean FQDN and tried to readd it but I get the same issue. >> >> > If you clean the cert on the server side, then you need to blow away the > $ssldir on the client side too. On a test client, run `puppet config print > ssldir` to get the path where the ssl information is being stored > client-side. Remove that directory and then try running puppet agent -t > again to concat the master and generate a csr. The master should auto-sign > and you should be good. > > I would definitely encourage you to look towards using something other > than Webrick in this situation. > > You also mentioned that the time on the master/agents WAS synced? It''s > not off by any significant amount? > > > >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> > > > -- > > Gary Larizza > Professional Services Engineer > Puppet Labs > >-- Gary Larizza Professional Services Engineer Puppet Labs -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mon, Feb 20, 2012 at 7:24 PM, Digital Ninja <dsw.ninjaboy@gmail.com> wrote:> So I come in to work monday only to find that none of our puppet > clients are working. > When I run puppetd -t I get these errors: http://pastebin.com/6iwhG2Y2 > > I go to the puppet master server and look at /var/log/puppet/ > masterhttp.log and see a bunch of these openssl errors: http://pastebin.com/1jgVX4ui > > I checked and made sure the time and date was the exact same across > all the servers and even tried restarting it but to no avail. > > Is this an issue with webrick or puppetmaster or the puppet clients?How old is your CA cert? Did your CA expire by any chance? Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
> How old is your CA cert? Did your CA expire by any chance?I guess this is the golden question. I''m not really sure. I''m not 100% on how webrick even serves the ssl. From all my checking it seems open ssl used /usr/lib/ssl openssl version -d OPENSSLDIR: "/usr/lib/ssl" Is this the correct ssl to be checking? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
100% correct. /var/lib/puppet//ssl was my issue. On Feb 21, 12:01 am, Gary Larizza <g...@puppetlabs.com> wrote:> On Mon, Feb 20, 2012 at 9:50 PM, Digital Ninja <dsw.ninja...@gmail.com>wrote: > > > I have the puppet master set up to auto sign them. I did a puppetca -- > > clean FQDN and tried to readd it but I get the same issue. > > If you clean the cert on the server side, then you need to blow away the > $ssldir on the client side too. On a test client, run `puppet config print > ssldir` to get the path where the ssl information is being stored > client-side. Remove that directory and then try running puppet agent -t > again to concat the master and generate a csr. The master should auto-sign > and you should be good. > > I would definitely encourage you to look towards using something other than > Webrick in this situation. > > You also mentioned that the time on the master/agents WAS synced? It''s not > off by any significant amount? > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > > Gary Larizza > Professional Services Engineer > Puppet Labs-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.