Rainer Bendig
2013-Jan-29 07:40 UTC
[Puppet Users] Puppet Agent does not connect to master
Hi,
we are running several debian squeeze (64 bit, no backports) and a
puppetmaster (3.0.2).
now i wanted to upgrade the agents from 3.0.1 to 3.0.2, and got stuck...
the "new" 3.0.2 agents don''t connect to the master... 3.0.1
agents still
do... i run puppet master in debug mode, and didn''t see any
communications
between agent and master... "puppet" and "puppet.foo.bar"
are both
resolving to the right puppet host, the machines are on the same subnet,
and did work under 3.0.1 ;(
the error from the 3.0.2 agents is
root@jenkins:~# puppet agent --verbose --no-daemonize
Notice: Starting Puppet client version 3.0.2
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [certificate signature failure for
/CN=puppet.foo.bar]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [certificate signature
failure for /CN=puppet..foo.bar]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=puppet..foo.bar]
Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=puppet.foo.bar]
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for /CN=puppet.foo.bar]
Notice: Using cached catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=puppet.foo.bar]
/usr/lib/ruby/vendor_ruby/puppet/agent.rb:89:in `exit'': no implicit
conversion from nil to integer (TypeError)
from /usr/lib/ruby/vendor_ruby/puppet/agent.rb:89:in `run_in_fork''
from /usr/lib/ruby/vendor_ruby/puppet/agent.rb:86:in `fork''
from /usr/lib/ruby/vendor_ruby/puppet/agent.rb:86:in `run_in_fork''
from /usr/lib/ruby/vendor_ruby/puppet/agent.rb:41:in `run''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:175:in `call''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:175:in
`controlled_run''
from /usr/lib/ruby/vendor_ruby/puppet/agent.rb:39:in `run''
from /usr/lib/ruby/vendor_ruby/puppet/daemon.rb:205:in
`run_event_loop''
from /usr/lib/ruby/vendor_ruby/puppet/daemon.rb:167:in `loop''
from /usr/lib/ruby/vendor_ruby/puppet/daemon.rb:167:in
`run_event_loop''
from /usr/lib/ruby/vendor_ruby/puppet/daemon.rb:145:in `start''
from /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:357:in
`main''
from /usr/lib/ruby/vendor_ruby/puppet/application/agent.rb:313:in
`run_command''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:346:in `run''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:438:in
`plugin_hook''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:346:in `run''
from /usr/lib/ruby/vendor_ruby/puppet/util.rb:496:in `exit_on_fail''
from /usr/lib/ruby/vendor_ruby/puppet/application.rb:346:in `run''
from /usr/lib/ruby/vendor_ruby/puppet/util/command_line.rb:87:in
`execute''
from /usr/bin/puppet:4
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jan-29 16:16 UTC
[Puppet Users] Re: Puppet Agent does not connect to master
On Tuesday, January 29, 2013 1:40:17 AM UTC-6, Rainer Bendig wrote:> > Hi, > > we are running several debian squeeze (64 bit, no backports) and a > puppetmaster (3.0.2). > > now i wanted to upgrade the agents from 3.0.1 to 3.0.2, and got stuck... > the "new" 3.0.2 agents don''t connect to the master... 3.0.1 agents still > do... i run puppet master in debug mode, and didn''t see any communications > between agent and master... "puppet" and "puppet.foo.bar" are both > resolving to the right puppet host, the machines are on the same subnet, > and did work under 3.0.1 ;( > > the error from the 3.0.2 agents is > > [...] > [certificate signature failure for /CN=puppet..foo.bar] Could not retrieve > file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed: > [certificate signature failure for /CN=puppet.foo.bar] > [...] >Look for differences in puppet.conf between broken and working clients. Especially make sure that the broken clients are pointed at the correct master. Also verify that the clients'' and master''s clocks are synchronized. If none of that reveals the problem, then probably the upgrades clobbered part of the clients'' SSL configuration. I can''t speak to how or why that happened, but to go forward you probably need to re-establish trust between clients and master. To do so on an affected client: 1. Shut down the Puppet agent 2. Revoke and remove the client certificate from the master, via "puppet ca" 3. Blow away the *client''s* SSL directory, normally /var/lib/puppet/ssl 4. Restart the agent, possibly with the --waitforcert option turned on 5. Sign the client''s new certificate request via "puppet ca" (on the master) John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.