I am deploying a new puppetmaster. I have old puppet nodes running. The old master is completely gone. On puppet client, sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose But "name or service not known", so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file. I ran again, now SSL problem: err: Could not retrieve catalog from remote server: SSL_connect returned=1> errno=0 state=SSLv3 read server certificate B: certificate verify failed > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run >I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this http://pastebin.com/mc1dbXdH Been 5 minutes, I cancelled it, realize it wouldn''t go anywhere... Then I tried this on the master> sudo puppetca --sign server1 >It said... err: Could not call revoke: Could not find a serial number for server1 Did this....> sudo puppetca --sign giab10 > err: Could not call sign: Could not find certificate request for giab10 >sudo puppetca --list --all + my_puppet_master (finderprint value goes here....) What should I do? Neither is contacting each other? Please help? Thanks -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/wnpR1A1VUyQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Okay. I can signed now.. sudo puppetca -s server1 Did this on master, and then ran the test command on agent... will throw sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose warning: peer certificate won''t be verified in this SSL session info: Caching certificate for server1 err: Could not retrieve catalog from remote server: hostname was not match with the server certificate warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run On Wednesday, June 13, 2012 4:20:49 PM UTC-4, repoman wrote:> > I am deploying a new puppetmaster. I have old puppet nodes running. The > old master is completely gone. > > On puppet client, > > sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose > > But "name or service not known", so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file. > I ran again, now SSL problem: > > err: Could not retrieve catalog from remote server: SSL_connect returned=1 >> errno=0 state=SSLv3 read server certificate B: certificate verify failed >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> > > I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this > http://pastebin.com/mc1dbXdH > Been 5 minutes, I cancelled it, realize it wouldn''t go anywhere... > > Then I tried this on the master > >> sudo puppetca --sign server1 >> > > It said... > err: Could not call revoke: Could not find a serial number for server1 > > Did this.... > >> sudo puppetca --sign giab10 >> err: Could not call sign: Could not find certificate request for giab10 >> > > sudo puppetca --list --all > + my_puppet_master (finderprint value goes here....) > > > What should I do? Neither is contacting each other? > > Please help? Thanks > > > > > > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jeD1MrsiyG0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
----- Original Message -----
| Okay. I can signed now..
| sudo puppetca -s server1
| Did this on master, and then ran the test command on agent... will
| throw
|
| sudo puppet agent --server puppetmaster --waitforcert 60 --test
| --verbose
|
| warning: peer certificate won''t be verified in this SSL session
| info: Caching certificate for server1
| err: Could not retrieve catalog from remote server: hostname was not
| match
| with the server certificate
| warning: Not using cache on failed catalog
| err: Could not retrieve catalog; skipping run
I just finished a migration and the issues I ran into were making sure that the
DNS names resolved correctly to the new host and that the new host SSL key was
signed by the original CA
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpeltier@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Success is to be measured not so much by the position that one has reached
in life but as by the obstacles they have overcome. - Booker T. Washington
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:> err: Could not retrieve catalog from remote server: hostname was not match > with the server certificate >Hey, repoman, This is a dns_alt_names problem. (Setting info: http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames) Short version is that the hostname you contact the puppet master at MUST be included in its SSL certificate. By default, only the master''s certname and the special default hostname "puppet" are included. If "puppetmaster" isn''t the certname of your master (check by running puppet master --configprint certname), you''ll need to either re-generate its cert or configure agents to use one of the names in its certificate. To view the cert and confirm that "puppetmaster" isn''t in it: puppet cert print (whatever the master''s certname is) To regenerate the master''s cert: puppet cert clean (whatever the master''s certname is) puppet cert generate --dns_alt_names puppetmaster (whatever the master''s certname is) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8Yr6Xv5XOm0J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Nick and James,
You want me to do that on Master? I just did. I can''t do that on the
client.
Master:
$ puppet master --configprint certname
master (I am using alias name from now on... you see it is not
puppetmaster)
$ puppet cert clean master
notice: Revoked certificate with serial 2
notice: Removing file Puppet::SSL::Certificate master at
''/var/lib/puppet/ssl/ca/signed/master.pem''
notice: Removing file Puppet::SSL::Certificate master at
''/var/lib/puppet/ssl/certs/master.pem''
notice: Removing file Puppet::SSL::Key master at
''/var/lib/puppet/ssl/private_keysmaster.pem''
$ puppet cert generate --dns_alt_names puppetmaster master
notice: master has a waiting certificate request
notice: Signed certificate request for master
notice: Removing file Puppet::SSL::CertificateRequest master at
''/var/lib/puppet/ssl/ca/requests/master.pem''
notice: Removing file Puppet::SSL::CertificateRequest master at
''/var/lib/puppet/ssl/certificate_requests/master.pem''
Now I see the following in master.pem
X509v3 Subject Alternative Name:
DNS:master, DNS:puppetmaster
But ran the test again, and still complain not matched./
Thanks.
On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund
wrote:>
>
>
> On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:
>
>> err: Could not retrieve catalog from remote server: hostname was not
>> match with the server certificate
>>
>
> Hey, repoman,
>
> This is a dns_alt_names problem. (Setting info:
> http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames
> )
>
> Short version is that the hostname you contact the puppet master at MUST
> be included in its SSL certificate. By default, only the master''s
certname
> and the special default hostname "puppet" are included. If
"puppetmaster"
> isn''t the certname of your master (check by running puppet master
> --configprint certname), you''ll need to either re-generate its
cert or
> configure agents to use one of the names in its certificate.
>
> To view the cert and confirm that "puppetmaster" isn''t
in it:
>
> puppet cert print (whatever the master''s certname is)
>
> To regenerate the master''s cert:
>
> puppet cert clean (whatever the master''s certname is)
> puppet cert generate --dns_alt_names puppetmaster (whatever the
master''s
> certname is)
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/LHyvbXqLHPMJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
I am instead open a new one. I realize I am making a big mess... Thanks thus far. On Wednesday, June 13, 2012 9:24:16 PM UTC-4, tas wrote:> > Hi Nick and James, > > You want me to do that on Master? I just did. I can''t do that on the > client. > > Master: > > $ puppet master --configprint certname > master (I am using alias name from now on... you see it is not > puppetmaster) > $ puppet cert clean master > notice: Revoked certificate with serial 2 > notice: Removing file Puppet::SSL::Certificate master at > ''/var/lib/puppet/ssl/ca/signed/master.pem'' > notice: Removing file Puppet::SSL::Certificate master at > ''/var/lib/puppet/ssl/certs/master.pem'' > notice: Removing file Puppet::SSL::Key master at > ''/var/lib/puppet/ssl/private_keysmaster.pem'' > > > $ puppet cert generate --dns_alt_names puppetmaster master > notice: master has a waiting certificate request > notice: Signed certificate request for master > notice: Removing file Puppet::SSL::CertificateRequest master at > ''/var/lib/puppet/ssl/ca/requests/master.pem'' > notice: Removing file Puppet::SSL::CertificateRequest master at > ''/var/lib/puppet/ssl/certificate_requests/master.pem'' > > > Now I see the following in master.pem > X509v3 Subject Alternative Name: > DNS:master, DNS:puppetmaster > > But ran the test again, and still complain not matched./ > > Thanks. > > > > On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund wrote: >> >> >> >> On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote: >> >>> err: Could not retrieve catalog from remote server: hostname was not >>> match with the server certificate >>> >> >> Hey, repoman, >> >> This is a dns_alt_names problem. (Setting info: >> http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames >> ) >> >> Short version is that the hostname you contact the puppet master at MUST >> be included in its SSL certificate. By default, only the master''s certname >> and the special default hostname "puppet" are included. If "puppetmaster" >> isn''t the certname of your master (check by running puppet master >> --configprint certname), you''ll need to either re-generate its cert or >> configure agents to use one of the names in its certificate. >> >> To view the cert and confirm that "puppetmaster" isn''t in it: >> >> puppet cert print (whatever the master''s certname is) >> >> To regenerate the master''s cert: >> >> puppet cert clean (whatever the master''s certname is) >> puppet cert generate --dns_alt_names puppetmaster (whatever the master''s >> certname is) >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/HOdxa55k_8cJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.