Jcduss
2012-Apr-02 15:27 UTC
[Puppet Users] PuppetMaster doesn''t trust Puppet Agent on the same host
Dear All, I''ve got troubles with my puppet master which doesn''t trust its own agent working on the same machine. This master has already about 50 clients running on differents servers and differents version of puppet client and working like a charm on them. Master is installed with passenger on a stable debian squeeze ii puppet 2.6.2-5+squeeze4 ii puppet-common 2.6.2-5+squeeze4 ii puppetmaster 2.6.2-5+squeeze4 I tried different name for my agent (with a puppetca --clean <NODES> each time). And each time I get a "err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed. This is often because the time is out of sync on the server or client" Agent is configured like this : [agent] server=puppet.mydomain.lan certname=puppet.mydomain.lan report=true This can''t be a date issue, this is the same host for client and server, certificates has also been revewed and dates is ok with openssl. My hosts file is configured like this : 127.0.0.1 localhost.localdomain localhost 192.168.1.11 puppet puppet.mydomain.lan I tried the tricks with the link in openssl dir in http://projects.puppetlabs.com/issues/8858 without success. What should I mess ? Thank you, JC. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Denmat
2012-Apr-02 20:37 UTC
Re: [Puppet Users] PuppetMaster doesn''t trust Puppet Agent on the same host
Hi, What happens if you move certname to [main] instead? Cheers, Den On 03/04/2012, at 1:27, Jcduss <nicomail59@gmail.com> wrote:> Dear All, > > I''ve got troubles with my puppet master which doesn''t trust its own > agent working on the same machine. This master has already about 50 > clients running on differents servers and differents version of puppet > client and working like a charm on them. > > Master is installed with passenger on a stable debian squeeze > ii puppet 2.6.2-5+squeeze4 > ii puppet-common 2.6.2-5+squeeze4 > ii puppetmaster 2.6.2-5+squeeze4 > > I tried different name for my agent (with a puppetca --clean <NODES> > each time). And each time I get a > "err: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed. This is often because the time is out of sync on the > server or client" > > Agent is configured like this : > > [agent] > server=puppet.mydomain.lan > certname=puppet.mydomain.lan > report=true > > > This can''t be a date issue, this is the same host for client and > server, certificates has also been revewed and dates is ok with > openssl. > > My hosts file is configured like this : > 127.0.0.1 localhost.localdomain localhost > 192.168.1.11 puppet puppet.mydomain.lan > > I tried the tricks with the link in openssl dir in > http://projects.puppetlabs.com/issues/8858 without success. > > What should I mess ? > > Thank you, > JC. > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jcduss
2012-Apr-03 07:21 UTC
[Puppet Users] Re: PuppetMaster doesn''t trust Puppet Agent on the same host
Hi, Thank you, Then if I change it to [main] after cleaning the puppet.mydomain.com certs, I get this : info: Creating a new SSL key for puppet.mydomain.com warning: peer certificate won''t be verified in this SSL session err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol Exiting; failed to retrieve certificate and waitforcert is disabled If I make a puppetca --list --all, I can''t see the puppet.mydomain.com request and so I can''t sign it. Regards, JC. On 2 avr, 22:37, Denmat <tu2bg...@gmail.com> wrote:> Hi, > > What happens if you move certname to [main] instead? > > Cheers, > Den > > On 03/04/2012, at 1:27, Jcduss <nicomai...@gmail.com> wrote: > > > > > > > > > Dear All, > > > I''ve got troubles with my puppet master which doesn''t trust its own > > agent working on the same machine. This master has already about 50 > > clients running on differents servers and differents version of puppet > > client and working like a charm on them. > > > Master is installed with passenger on a stable debian squeeze > > ii puppet 2.6.2-5+squeeze4 > > ii puppet-common 2.6.2-5+squeeze4 > > ii puppetmaster 2.6.2-5+squeeze4 > > > I tried different name for my agent (with a puppetca --clean <NODES> > > each time). And each time I get a > > "err: Could not retrieve catalog from remote server: SSL_connect > > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > > verify failed. This is often because the time is out of sync on the > > server or client" > > > Agent is configured like this : > > > [agent] > > server=puppet.mydomain.lan > > certname=puppet.mydomain.lan > > report=true > > > This can''t be a date issue, this is the same host for client and > > server, certificates has also been revewed and dates is ok with > > openssl. > > > My hosts file is configured like this : > > 127.0.0.1 localhost.localdomain localhost > > 192.168.1.11 puppet puppet.mydomain.lan > > > I tried the tricks with the link in openssl dir in > >http://projects.puppetlabs.com/issues/8858without success. > > > What should I mess ? > > > Thank you, > > JC. > > > -- > > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group athttp://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.