Hi all - my head hurts! ;-)
I am getting this error on my agent host:
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1:
Server hostname ''ncqd-isghub01'' did not match server
certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com
This is the hosts file entry on the agent:
10.6.176.21 ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet
I did have certificates for the master (ncqd-isghub01) but following
instructions provided by others for addressing them, I removed them:
[root@ncqd-isghub01 ssl]# puppet cert clean
ncqd-isghub01.nott.ime.reuters.com
Notice: Revoked certificate with serial 5
Notice: Removing file Puppet::SSL::Certificate
ncqd-isghub01.nott.ime.reuters.com at
''/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem''
Notice: Removing file Puppet::SSL::Certificate
ncqd-isghub01.nott.ime.reuters.com at
''/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem''
Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.com
at
''/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem''
[root@ncqd-isghub01 ssl]#
At this point I realised that on the master host I had the wrong IP address
for itself (it had recently been relocated), so I corrected that and for
safety''s sake cleaned out /var/lib/puppet/ssl. I then did the
following:
*Master as agent:*
[root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for
ncqd-isghub01.nott.ime.reuters.com
Info: Certificate Request fingerprint (SHA256):
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
*Master as master:*
[root@ncqd-isghub01 ssl]# puppet cert list
"ncqd-isghub01.nott.ime.reuters.com" (SHA256)
BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D
[root@ncqd-isghub01 ssl]# puppet cert sign
ncqd-isghub01.nott.ime.reuters.com
Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com
Notice: Removing file Puppet::SSL::CertificateRequest
ncqd-isghub01.nott.ime.reuters.com at
''/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem''
[root@ncqd-isghub01 ssl]#
*Master as agent:*
Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com
*Warning: Unable to fetch my node definition, but the agent run will
continue:*
[Not sure why this is reported – it’s defined in
/etc/puppet/manifest/nodes.pp and site.pp has import “nodes” , but it
appears not to be relevant]
Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed: [certificate signature
failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata
for puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=SSLv3 read server certificate B: certificate
verify failed: [certificate signature failure for
/CN=ncqd-isghub01.nott.ime.reuters.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3
read server certificate B: certificate verify failed: [certificate
signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com]
[root@ncqd-isghub01 ssl]#
Now why would it be unable to verify the certificate it’s just signed?
I then tried using my normal test agent, expecting the certificate request
to be generated anew, as I’d blitzed it earlier:
*Master as agent:*
[root@ncqd-isghub01 ssl]# puppet cert list --all
+ "ncqd-isghub01.nott.ime.reuters.com" (SHA256)
1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD
[root@ncqd-isghub01 ssl]#
*Normal agent:*
[11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test
info: Retrieving plugin
info: Caching catalog for ntm-igdev02.nott.ime.reuters.com
info: Applying configuration version ''1370523314''
notice: /Stage[main]/Testfiles/File[/tmp/test1]/content:
--- /tmp/test1 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1g9ifbr-0 Thu Jun 6 14:18:34 2013
@@ -1,0 +1,1 @@
+this is file test1
err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1:
Server hostname ''ncqd-isghub01'' did not match server
certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com
notice: /Stage[main]/Testfiles/File[/tmp/test2]/content:
--- /tmp/test2 Tue Jun 4 10:38:59 2013
+++ /tmp/puppet-file20130606-25892-1xfiqif-0 Thu Jun 6 14:18:37 2013
@@ -1,0 +1,1 @@
+this is file test2
err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from
{md5}d41d8cd98f00b204e9800998ecf8427e to
{md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2:
Server hostname ''ncqd-isghub01'' did not match server
certificate; expected
one of ncqd-isghub01.nott.ime.reuters.com,
DNS:ncqd-isghub01.nott.ime.reuters.com, DNS:puppet,
DNS:puppet.nott.ime.reuters.com
notice: Finished catalog run in 6.33 seconds
[11674](root@ntm-igdev02)/etc/puppet:
So as far as the real agent is concerned , I’m back where I started and I
don’t see why a new certificate request wasn’t generated – I still only
have the one for the master. Also, why doesn’t the master recognise its own
certificate?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
First off are you running open source puppet or puppetlabs. I understand there is a difference... and most instructions do not include restarting the pe-http daemon so you have stale data in there.. This is what I did Certificate problems On Client… cd /etc/puppetlabs/puppet/ ssl rm -rf ca certs public_keys certificate_requsts private_keys # make sure all files removed from SSL dir puppet agent –t # this will run a few minutes the first time. On server: puppet cert clean server11.fqdn.com # against clients puppet cert list cd /etc/init.d/pe-httpd restart puppet cert list puppet cert sign –a # if you recognize all the servers in your cert list. On Thursday, June 6, 2013 7:52:26 AM UTC-7, Andthepharaohs wrote:> > Hi all - my head hurts! ;-) > > I am getting this error on my agent host: > > err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from > {md5}d41d8cd98f00b204e9800998ecf8427e to > {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: > Server hostname ''ncqd-isghub01'' did not match server certificate; expected > one of ncqd-isghub01.nott.ime.reuters.com, DNS: > ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS: > puppet.nott.ime.reuters.com > > This is the hosts file entry on the agent: > > 10.6.176.21 ncqd-isghub01.nott.ime.reuters.com ncqd-isghub01 puppet > > I did have certificates for the master (ncqd-isghub01) but following > instructions provided by others for addressing them, I removed them: > > [root@ncqd-isghub01 ssl]# puppet cert clean > ncqd-isghub01.nott.ime.reuters.com > > Notice: Revoked certificate with serial 5 > > Notice: Removing file Puppet::SSL::Certificate > ncqd-isghub01.nott.ime.reuters.com at > ''/var/lib/puppet/ssl/ca/signed/ncqd-isghub01.nott.ime.reuters.com.pem'' > > Notice: Removing file Puppet::SSL::Certificate > ncqd-isghub01.nott.ime.reuters.com at > ''/var/lib/puppet/ssl/certs/ncqd-isghub01.nott.ime.reuters.com.pem'' > > Notice: Removing file Puppet::SSL::Key ncqd-isghub01.nott.ime.reuters.comat ''/var/lib/puppet/ssl/private_keys/ncqd-isghub01.nott.ime.reuters.com.pem'' > > [root@ncqd-isghub01 ssl]# > > At this point I realised that on the master host I had the wrong IP > address for itself (it had recently been relocated), so I corrected that > and for safety''s sake cleaned out /var/lib/puppet/ssl. I then did the > following: > > *Master as agent:* > > [root@ncqd-isghub01 ssl]# puppet agent --waitforcert 60 --test > > Info: Caching certificate for ca > > Info: Creating a new SSL certificate request for > ncqd-isghub01.nott.ime.reuters.com > > Info: Certificate Request fingerprint (SHA256): > BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D > > *Master as master:* > > [root@ncqd-isghub01 ssl]# puppet cert list > > "ncqd-isghub01.nott.ime.reuters.com" (SHA256) > BA:B0:EA:05:69:A3:A9:AB:A6:54:F9:9C:72:7F:49:DA:92:A7:12:A4:55:F3:F5:A8:86:23:10:FB:74:FA:CC:2D > > [root@ncqd-isghub01 ssl]# puppet cert sign > ncqd-isghub01.nott.ime.reuters.com > > Notice: Signed certificate request for ncqd-isghub01.nott.ime.reuters.com > > Notice: Removing file Puppet::SSL::CertificateRequest > ncqd-isghub01.nott.ime.reuters.com at > ''/var/lib/puppet/ssl/ca/requests/ncqd-isghub01.nott.ime.reuters.com.pem'' > > [root@ncqd-isghub01 ssl]# > > *Master as agent:* > > Info: Caching certificate for ncqd-isghub01.nott.ime.reuters.com > > *Warning: Unable to fetch my node definition, but the agent run will > continue:* > > [Not sure why this is reported – it’s defined in > /etc/puppet/manifest/nodes.pp and site.pp has import “nodes” , but it > appears not to be relevant] > > Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server > certificate B: certificate verify failed: [certificate signature failure > for /CN=ncqd-isghub01.nott.ime.reuters.com] > > Info: Retrieving plugin > > Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using ''eval_generate: SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed: [certificate signature > failure for /CN=ncqd-isghub01.nott.ime.reuters.com] > > Error: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN> ncqd-isghub01.nott.ime.reuters.com] Could not retrieve file metadata for > puppet://ncqd-isghub01.nott.ime.reuters.com/plugins: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN> ncqd-isghub01.nott.ime.reuters.com] > > Error: Could not retrieve catalog from remote server: SSL_connect > returned=1 errno=0 state=SSLv3 read server certificate B: certificate > verify failed: [certificate signature failure for /CN> ncqd-isghub01.nott.ime.reuters.com] > > Warning: Not using cache on failed catalog > > Error: Could not retrieve catalog; skipping run > > Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 > read server certificate B: certificate verify failed: [certificate > signature failure for /CN=ncqd-isghub01.nott.ime.reuters.com] > > [root@ncqd-isghub01 ssl]# > > Now why would it be unable to verify the certificate it’s just signed? > > I then tried using my normal test agent, expecting the certificate request > to be generated anew, as I’d blitzed it earlier: > > *Master as agent:* > > [root@ncqd-isghub01 ssl]# puppet cert list --all > > + "ncqd-isghub01.nott.ime.reuters.com" (SHA256) > 1B:52:34:96:F7:49:06:EB:AD:96:78:70:FF:96:72:D3:F2:EC:43:4B:93:20:F5:4B:F4:96:42:EE:B2:10:64:FD > > [root@ncqd-isghub01 ssl]# > > *Normal agent:* > > [11673](root@ntm-igdev02)/etc/puppet: puppet agent --waitforcert 60 --test > > info: Retrieving plugin > > info: Caching catalog for ntm-igdev02.nott.ime.reuters.com > > info: Applying configuration version ''1370523314'' > > notice: /Stage[main]/Testfiles/File[/tmp/test1]/content: > > --- /tmp/test1 Tue Jun 4 10:38:59 2013 > > +++ /tmp/puppet-file20130606-25892-1g9ifbr-0 Thu Jun 6 14:18:34 2013 > > @@ -1,0 +1,1 @@ > > +this is file test1 > > err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from > {md5}d41d8cd98f00b204e9800998ecf8427e to > {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: > Server hostname ''ncqd-isghub01'' did not match server certificate; expected > one of ncqd-isghub01.nott.ime.reuters.com, DNS: > ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS: > puppet.nott.ime.reuters.com > > notice: /Stage[main]/Testfiles/File[/tmp/test2]/content: > > --- /tmp/test2 Tue Jun 4 10:38:59 2013 > > +++ /tmp/puppet-file20130606-25892-1xfiqif-0 Thu Jun 6 14:18:37 2013 > > @@ -1,0 +1,1 @@ > > +this is file test2 > > err: /Stage[main]/Testfiles/File[/tmp/test2]/content: change from > {md5}d41d8cd98f00b204e9800998ecf8427e to > {md5}949590d5e84741aa3e8e84ccb3a062d5 failed: Could not back up /tmp/test2: > Server hostname ''ncqd-isghub01'' did not match server certificate; expected > one of ncqd-isghub01.nott.ime.reuters.com, DNS: > ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS: > puppet.nott.ime.reuters.com > > notice: Finished catalog run in 6.33 seconds > > [11674](root@ntm-igdev02)/etc/puppet: > > So as far as the real agent is concerned , I’m back where I started and I > don’t see why a new certificate request wasn’t generated – I still only > have the one for the master. Also, why doesn’t the master recognise its own > certificate? > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
On Thu, Jun 6, 2013 at 7:52 AM, Andthepharaohs <puhelin09@gmail.com> wrote:> Hi all - my head hurts! ;-) > > I am getting this error on my agent host:**** > > err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from > {md5}d41d8cd98f00b204e9800998ecf8427e to > {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: > Server hostname ''ncqd-isghub01'' did not match server certificate; expected > one of ncqd-isghub01.nott.ime.reuters.com, DNS: > ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS: > puppet.nott.ime.reuters.com >You are connecting to the master using the option --server ''ncqd-isghub01'', but did not list that in the dns_alt_names option when you generated the master cert. See http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificateand follow "Are Agents Contacting the Master at a Valid DNS Name?". Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
I''m trying to create config files from an array of hostnames,
specifically from the param ''stor_host'' -
My Hiera data -
s_storage::params::storage_partition:
1:
storage_vip: ''''
num_shards: 1
storage_db: hsqlstor01
replagent_host: ''''
replagent_metrics_port: ''''
file_deleter_host: hfdel01
file_deleter_metrics_port: ''6266''
instance_deleter_host: ''''
instance_deleter_metrics_port: ''''
stor_host:
- hstor00
- hstor01
2:
storage_vip: ''0000''
num_shards: 64
storage_db: hdbstor114
replagent_host: hrepl02
replagent_metrics_port: ''21009''
file_deleter_host: hfdel01
file_deleter_metrics_port: ''6250''
instance_deleter_host: hidel01
instance_deleter_metrics_port: ''6450''
stor_host: ''node01, node02''
My code -
define sugarsync_storage::partition (
$storage_vip,
$num_shards,
$storage_db,
$replagent_host,
$replagent_metrics_port,
$instance_deleter_host,
$instance_deleter_metrics_port,
$file_deleter_host,
$file_deleter_metrics_port,
$stor_host,
) {
tag(''config'')
$storage_partition = $sugarsync_storage::storage_partition
storhost_lookup {"${stor_host}":}
} # Class sugarsync_storage::partition
define storhost_lookup () {
file { "${app_dir}/${app_name}/etc/props/${hostname}-00.stor.props":
ensure => ''file'',
content =>
template(''sugarsync_storage/storage_instance.erb''),
owner => ''scserver'',
group => ''scserver'',
mode => ''0755'',
}
}
I get the following error when I execute the puppet run -
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Duplicate declaration: File[//etc/props/node01-00.stor.props] is already
declared in file /etc/puppet/modules/sugarsync_storage/manifests/partition.pp at
line 25; cannot redeclare on node node01.home.local
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
I''m stuck figuring out where the duplicate is coming from.
Thanks for any assistance.
Matt
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
Many thanks, Nan - I''ll try that in the morning. Regards, Sam On 6 June 2013 17:50, Nan Liu <nan.liu@gmail.com> wrote:> On Thu, Jun 6, 2013 at 7:52 AM, Andthepharaohs <puhelin09@gmail.com>wrote: > >> Hi all - my head hurts! ;-) >> >> I am getting this error on my agent host:**** >> >> err: /Stage[main]/Testfiles/File[/tmp/test1]/content: change from >> {md5}d41d8cd98f00b204e9800998ecf8427e to >> {md5}6be3210bf77dea7c998e13ba69e5f06e failed: Could not back up /tmp/test1: >> Server hostname ''ncqd-isghub01'' did not match server certificate; expected >> one of ncqd-isghub01.nott.ime.reuters.com, DNS: >> ncqd-isghub01.nott.ime.reuters.com, DNS:puppet, DNS: >> puppet.nott.ime.reuters.com >> > > You are connecting to the master using the option --server > ''ncqd-isghub01'', but did not list that in the dns_alt_names option when you > generated the master cert. > > See > http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificateand follow "Are Agents Contacting the Master at a Valid DNS Name?". > > Nan > > -- > You received this message because you are subscribed to a topic in the > Google Groups "Puppet Users" group. > To unsubscribe from this topic, visit > https://groups.google.com/d/topic/puppet-users/a8ueBCHsEZY/unsubscribe?hl=en > . > To unsubscribe from this group and all its topics, send an email to > puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- /Sam -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
Thanks Dan (I''m running puppet) and Nan - I regenerated the certificate, but still had problems - removing the ssl directory was not a good idea! I''ve decided to reinstall from scratch, as I can then ensure a clean system and document the details. I will close this when I have it up and running, but it may be a while as I''m being diverted to other work and am holiday soon. Thanks for your prompt help! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.