Forrie
2013-Jul-11 18:41 UTC
[Puppet Users] 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS 6.3. There are two systems, recently built, that exhibit the same problem. I''m using the same, very basic and simple config I have on all of my systems (most of which are CentOS 5). This system has its own ruby and puppet installation (gem), which is the only real difference. Basically, I can''t get the master to generate a certificate. I can telnet to the puppet inbound port, no problem. here''s what I see: [ puppet master log ] 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" [ puppet client log / debug, no-daemonize ] Debug: Finishing transaction 69955790206320 Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu Info: Caching certificate for ca Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu Debug: Using cached certificate for ca Debug: Using cached certificate for ca Debug: Using cached certificate for ca Notice: Did not receive certificate I''ve Googled around for this error, but I don''t see a solution to my issue -- I wonder if I''m missing a ruby gem, or if there is generally something wrong with running this on CentOS 6 (that would be odd). I have tried completely removing /var/lib/puppet on the agent and starting over, that has no effect. The puppet.conf I''m using on all my systems: [main] server = my-server.name.com vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig syslogfacility = local4 report = true listen = true Am I missing something? Granted, the older clients are running 2.7.x, so perhaps I''ve missed something in the upgrade docs and I need to add to the *.conf file. The master server is running Puppet 3.2.2 under Passenger 4.0.8, all the other clients are connecting just fine. Iptables is not a factor here, either. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
kegstand
2013-Jul-11 18:44 UTC
Re: [Puppet Users] 3.2.2 on CentOS 6.3, and "Did not receive certificate"
You should be running puppet version 2 clients with puppetmaster version 2. You should be running puppet version 3 clients with puppetmaster version 3. On Thu, Jul 11, 2013 at 11:41 AM, Forrie <forrie@gmail.com> wrote:> I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS > 6.3. There are two systems, recently built, that exhibit the same > problem. I''m using the same, very basic and simple config I have on all > of my systems (most of which are CentOS 5). This system has its own ruby > and puppet installation (gem), which is the only real difference. > > Basically, I can''t get the master to generate a certificate. I can > telnet to the puppet inbound port, no problem. > > here''s what I see: > > [ puppet master log ] > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > > [ puppet client log / debug, no-daemonize ] > > Debug: Finishing transaction 69955790206320 > Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu > Info: Caching certificate for ca > Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Notice: Did not receive certificate > > > I''ve Googled around for this error, but I don''t see a solution to my issue > -- I wonder if I''m missing a ruby gem, or if there is generally something > wrong with running this on CentOS 6 (that would be odd). > > I have tried completely removing /var/lib/puppet on the agent and starting > over, that has no effect. > > The puppet.conf I''m using on all my systems: > > > [main] > server = my-server.name.com > > vardir = /var/lib/puppet > > logdir = /var/log/puppet > > rundir = /var/run/puppet > > ssldir = $vardir/ssl > > [agent] > > classfile = $vardir/classes.txt > > localconfig = $vardir/localconfig > > syslogfacility = local4 > > report = true > > listen = true > > > Am I missing something? Granted, the older clients are running 2.7.x, so > perhaps I''ve missed something in the upgrade docs and I need to add to the > *.conf file. The master server is running Puppet 3.2.2 under Passenger > 4.0.8, all the other clients are connecting just fine. Iptables is not a > factor here, either. > > > Thanks. > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-11 18:47 UTC
Re: [Puppet Users] 3.2.2 on CentOS 6.3, and "Did not receive certificate"
The CentOS systems I built are 3.2.2 and the master is 3.2.2. the older clients are working fine - they are being upgraded, once I solve this issue. On Thursday, July 11, 2013 2:44:58 PM UTC-4, Dan wrote:> > You should be running puppet version 2 clients with puppetmaster version 2. > You should be running puppet version 3 clients with puppetmaster version 3. > > > On Thu, Jul 11, 2013 at 11:41 AM, Forrie <for...@gmail.com <javascript:>>wrote: > >> I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS >> 6.3. There are two systems, recently built, that exhibit the same >> problem. I''m using the same, very basic and simple config I have on all >> of my systems (most of which are CentOS 5). This system has its own ruby >> and puppet installation (gem), which is the only real difference. >> >> Basically, I can''t get the master to generate a certificate. I can >> telnet to the puppet inbound port, no problem. >> >> here''s what I see: >> >> [ puppet master log ] >> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ >> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ >> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" >> >> [ puppet client log / debug, no-daemonize ] >> >> Debug: Finishing transaction 69955790206320 >> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu >> Info: Caching certificate for ca >> Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Notice: Did not receive certificate >> >> >> I''ve Googled around for this error, but I don''t see a solution to my >> issue -- I wonder if I''m missing a ruby gem, or if there is generally >> something wrong with running this on CentOS 6 (that would be odd). >> >> I have tried completely removing /var/lib/puppet on the agent and >> starting over, that has no effect. >> >> The puppet.conf I''m using on all my systems: >> >> >> [main] >> server = my-server.name.com >> >> vardir = /var/lib/puppet >> >> logdir = /var/log/puppet >> >> rundir = /var/run/puppet >> >> ssldir = $vardir/ssl >> >> [agent] >> >> classfile = $vardir/classes.txt >> >> localconfig = $vardir/localconfig >> >> syslogfacility = local4 >> >> report = true >> >> listen = true >> >> >> Am I missing something? Granted, the older clients are running 2.7.x, >> so perhaps I''ve missed something in the upgrade docs and I need to add to >> the *.conf file. The master server is running Puppet 3.2.2 under >> Passenger 4.0.8, all the other clients are connecting just fine. Iptables >> is not a factor here, either. >> >> >> Thanks. >> >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users...@googlegroups.com <javascript:>. >> To post to this group, send email to puppet...@googlegroups.com<javascript:> >> . >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> >> > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Pete Brown
2013-Jul-16 02:27 UTC
Re: [Puppet Users] 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On 12/07/2013 4:45 AM, "kegstand" <kegstand@gmail.com> wrote:> > You should be running puppet version 2 clients with puppetmaster version2.> You should be running puppet version 3 clients with puppetmaster version3. Actually puppet 2.x nodes will talk to a puppet 3.x master. As long as the puppet master is equal or higher version it should just work.> > On Thu, Jul 11, 2013 at 11:41 AM, Forrie <forrie@gmail.com> wrote: >> >> I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS6.3. There are two systems, recently built, that exhibit the same problem. I''m using the same, very basic and simple config I have on all of my systems (most of which are CentOS 5). This system has its own ruby and puppet installation (gem), which is the only real difference.>> >> Basically, I can''t get the master to generate a certificate. I cantelnet to the puppet inbound port, no problem.>> >> here''s what I see: >> >> [ puppet master log ] >> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-">> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-">> >> [ puppet client log / debug, no-daemonize ] >> >> Debug: Finishing transaction 69955790206320 >> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu >> Info: Caching certificate for ca >> Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Notice: Did not receive certificate >> >> >> I''ve Googled around for this error, but I don''t see a solution to myissue -- I wonder if I''m missing a ruby gem, or if there is generally something wrong with running this on CentOS 6 (that would be odd).>> >> I have tried completely removing /var/lib/puppet on the agent andstarting over, that has no effect.>> >> The puppet.conf I''m using on all my systems: >> >> >> [main] >> server = my-server.name.com >> >> vardir = /var/lib/puppet >> >> logdir = /var/log/puppet >> >> rundir = /var/run/puppet >> >> ssldir = $vardir/ssl >> >> [agent] >> >> classfile = $vardir/classes.txt >> >> localconfig = $vardir/localconfig >> >> syslogfacility = local4 >> >> report = true >> >> listen = true >> >> >> Am I missing something? Granted, the older clients are running 2.7.x,so perhaps I''ve missed something in the upgrade docs and I need to add to the *.conf file. The master server is running Puppet 3.2.2 under Passenger 4.0.8, all the other clients are connecting just fine. Iptables is not a factor here, either.>> >> >> Thanks. >> >> >> >> >> -- >> You received this message because you are subscribed to the GoogleGroups "Puppet Users" group.>> To unsubscribe from this group and stop receiving emails from it, sendan email to puppet-users+unsubscribe@googlegroups.com.>> To post to this group, send email to puppet-users@googlegroups.com. >> Visit this group at http://groups.google.com/group/puppet-users. >> For more options, visit https://groups.google.com/groups/opt_out. >> >> > > > -- > You received this message because you are subscribed to the Google Groups"Puppet Users" group.> To unsubscribe from this group and stop receiving emails from it, send anemail to puppet-users+unsubscribe@googlegroups.com.> To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Yaniv Kaul
2013-Jul-16 06:47 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Thursday, July 11, 2013 9:41:26 PM UTC+3, Forrie wrote:> I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS > 6.3. There are two systems, recently built, that exhibit the same > problem. I''m using the same, very basic and simple config I have on all > of my systems (most of which are CentOS 5). This system has its own ruby > and puppet installation (gem), which is the only real difference. > > Basically, I can''t get the master to generate a certificate. I can > telnet to the puppet inbound port, no problem. > > here''s what I see: > > [ puppet master log ] > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > > [ puppet client log / debug, no-daemonize ] > > Debug: Finishing transaction 69955790206320 > Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu > Info: Caching certificate for ca > Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Notice: Did not receive certificate > > > I''ve Googled around for this error, but I don''t see a solution to my issue > -- I wonder if I''m missing a ruby gem, or if there is generally something > wrong with running this on CentOS 6 (that would be odd). > > I have tried completely removing /var/lib/puppet on the agent and starting > over, that has no effect. > > The puppet.conf I''m using on all my systems: > > > [main] > server = my-server.name.com > > vardir = /var/lib/puppet > > logdir = /var/log/puppet > > rundir = /var/run/puppet > > ssldir = $vardir/ssl > > [agent] > > classfile = $vardir/classes.txt > > localconfig = $vardir/localconfig > > syslogfacility = local4 > > report = true > > listen = true > > > Am I missing something? Granted, the older clients are running 2.7.x, so > perhaps I''ve missed something in the upgrade docs and I need to add to the > *.conf file. The master server is running Puppet 3.2.2 under Passenger > 4.0.8, all the other clients are connecting just fine. Iptables is not a > factor here, either. > > > Thanks. > > > > >I have exactly the same issue, on CentOS 6.4. Packages: [root@foreman ~]# rpm -qa |grep puppet puppet-3.2.2-1.el6.noarch puppet-server-3.2.2-1.el6.noarch ruby193-puppet-3.1.1-6.el6.noarch puppetlabs-release-6-7.noarch I''m unsure how I debug this on the master side. tcpdump shows SSL connection between the client and the server taking place, but that''s about it. Y. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-16 16:02 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Thursday, July 11, 2013 1:41:26 PM UTC-5, Forrie wrote:> > I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS > 6.3. There are two systems, recently built, that exhibit the same > problem. I''m using the same, very basic and simple config I have on all > of my systems (most of which are CentOS 5). This system has its own ruby > and puppet installation (gem), which is the only real difference. >I urge you to avoid using gem to manage packages on any system that has a decent native package manager (such as CentOS 6.3). It constitutes a basic system management problem to have multiple package managers with overlapping areas of responsibility. Have you considered using the RHEL/CentOS/etc. RPMs packaged by PuppetLabs? PL maintains its own yum repository to make this easy; see http://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html.> > Basically, I can''t get the master to generate a certificate. I can > telnet to the puppet inbound port, no problem. > > here''s what I see: > > [ puppet master log ] > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET /production/certificate/ > de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-" "-" > > [ puppet client log / debug, no-daemonize ] > > Debug: Finishing transaction 69955790206320 > Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu > Info: Caching certificate for ca > Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Debug: Using cached certificate for ca > Notice: Did not receive certificate > >And your master is configured to autosign certificates? Because that''s not the default, and you didn''t say anything about signing them manually. You can check whether there are any outstanding certificate requests by running puppet cert list on the master. In fact, did you recently upgrade your master to its current version? As in, since the working clients were issued their certs? If so, then perhaps the upgrade somehow reset the master''s certificate management configuration to the default of not autosigning.> > I''ve Googled around for this error, but I don''t see a solution to my issue > -- I wonder if I''m missing a ruby gem, or if there is generally something > wrong with running this on CentOS 6 (that would be odd). > > I have tried completely removing /var/lib/puppet on the agent and starting > over, that has no effect. > > The puppet.conf I''m using on all my systems: > > > [main] > server = my-server.name.com > > vardir = /var/lib/puppet > > logdir = /var/log/puppet > > rundir = /var/run/puppet > > ssldir = $vardir/ssl > > [agent] > > classfile = $vardir/classes.txt > > localconfig = $vardir/localconfig > > syslogfacility = local4 > > report = true > > listen = true > > > Am I missing something? Granted, the older clients are running 2.7.x, so > perhaps I''ve missed something in the upgrade docs and I need to add to the > *.conf file. The master server is running Puppet 3.2.2 under Passenger > 4.0.8, all the other clients are connecting just fine. Iptables is not a > factor here, either. > >I am disinclined to think that the problem is actually at the agent. That the other agents are working is not a counterindication, for the place where the process seems to be failing is outside the path that is ordinarily traversed in servicing catalog requests. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-16 21:32 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
We are not configured to auto-sign certificates. Clearly, the client is making a connection to the master: 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this particular agent. I''ve tried starting clean/fresh on the agent (removing /var/lib/puppet) and that has no effect. The older clients are working just fine. puppet cert list, continues to not see the inbound request from this particular agent. our auth.conf certificate rules are fairly standard: # allow access to the CA certificate; unauthenticated nodes need this # in order to validate the puppet master''s certificate path /certificate/ca auth any method find allow * # allow nodes to retrieve the certificate they requested earlier path /certificate/ auth any method find allow * # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * Unless something changed between versions that I missed, I believe this should be working. I even hard-coded the servername in the puppet.conf, which has no effect on this agent. The logs above suggest it''s looking for the actual certificate, but I don''t see the request in the "puppet cert list" queue. Very puzzled. Thanks. [ .. ]>> And your master is configured to autosign certificates? Because that''s > not the default, and you didn''t say anything about signing them manually. > You can check whether there are any outstanding certificate requests by > running > > puppet cert list > > on the master. > > In fact, did you recently upgrade your master to its current version? As > in, since the working clients were issued their certs? If so, then perhaps > the upgrade somehow reset the master''s certificate management configuration > to the default of not autosigning. > > > >> >> I''ve Googled around for this error, but I don''t see a solution to my >> issue -- I wonder if I''m missing a ruby gem, or if there is generally >> something wrong with running this on CentOS 6 (that would be odd). >> >> I have tried completely removing /var/lib/puppet on the agent and >> starting over, that has no effect. >> >> The puppet.conf I''m using on all my systems: >> >> >> [main] >> server = my-server.name.com >> >> vardir = /var/lib/puppet >> >> logdir = /var/log/puppet >> >> rundir = /var/run/puppet >> >> ssldir = $vardir/ssl >> >> [agent] >> >> classfile = $vardir/classes.txt >> >> localconfig = $vardir/localconfig >> >> syslogfacility = local4 >> >> report = true >> >> listen = true >> >> >> Am I missing something? Granted, the older clients are running 2.7.x, >> so perhaps I''ve missed something in the upgrade docs and I need to add to >> the *.conf file. The master server is running Puppet 3.2.2 under >> Passenger 4.0.8, all the other clients are connecting just fine. Iptables >> is not a factor here, either. >> >> > > I am disinclined to think that the problem is actually at the agent. That > the other agents are working is not a counterindication, for the place > where the process seems to be failing is outside the path that is > ordinarily traversed in servicing catalog requests. > > > John > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-16 21:36 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Our Master (server) cert has remained intact, last installed on Nov 2 2011. So I don''t believe that''s the issue. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-17 15:00 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote:> > We are not configured to auto-sign certificates. > > Clearly, the client is making a connection to the master: > > > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > > Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this > particular agent. I''ve tried starting clean/fresh on the agent (removing > /var/lib/puppet) and that has no effect. The older clients are working > just fine. > > puppet cert list, continues to not see the inbound request from this > particular agent. >Well, that at least narrows it down. The master is not recognizing the client''s certificate-signing request, or is refusing to service it. Does the master already have a signed certificate for this client (or at least one bearing the requested certname)? "puppet cert list --all" should tell you. If so, then there are two possibilities: (1) the master signed the current client''s current certificate, but is refusing to serve up the signed certificate. This seems unlikely to me, but it cannot be altogether discounted. (2) the signed certificate does not correspond to the certificate-signing request currently being presented by the agent (maybe it is an old cert signed for a different machine with the same name), so the master refuses to provide it to the agent. If (2) applies, then you should revoke then remove the old cert via "puppet cert", then try again to connect the agent. Alternatively, is there any chance you have multiple copies of the master installed? (Maybe one via RPM and a separate one via gem?) If that''s the case, then perhaps the master the agent is talking to is different from the one that comes first in your shell''s executable path. That could wreak all sorts of havoc, including misleading you about the relevant certs and CSRs. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Yaniv Kaul
2013-Jul-17 17:25 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Wednesday, July 17, 2013 6:00:49 PM UTC+3, jcbollinger wrote:> > > On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote: >> >> We are not configured to auto-sign certificates. >> >> Clearly, the client is making a connection to the master: >> >> >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> >> Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this >> particular agent. I''ve tried starting clean/fresh on the agent (removing >> /var/lib/puppet) and that has no effect. The older clients are working >> just fine. >> >> puppet cert list, continues to not see the inbound request from this >> particular agent. >> > > > Well, that at least narrows it down. The master is not recognizing the > client''s certificate-signing request, or is refusing to service it. Does > the master already have a signed certificate for this client (or at least > one bearing the requested certname)? "puppet cert list --all" should tell > you. > > If so, then there are two possibilities: > (1) the master signed the current client''s current certificate, but is > refusing to serve up the signed certificate. This seems unlikely to me, > but it cannot be altogether discounted. > (2) the signed certificate does not correspond to the certificate-signing > request currently being presented by the agent (maybe it is an old cert > signed for a different machine with the same name), so the master refuses > to provide it to the agent. > > If (2) applies, then you should revoke then remove the old cert via > "puppet cert", then try again to connect the agent. > > Alternatively, is there any chance you have multiple copies of the master > installed? (Maybe one via RPM and a separate one via gem?) If that''s the > case, then perhaps the master the agent is talking to is different from the > one that comes first in your shell''s executable path. That could wreak all > sorts of havoc, including misleading you about the relevant certs and CSRs. > > > John > >How do I verify if multiple copies are installed? I''m using Foreman to manage the puppet master on the same host, but I don''t think it has caused any issues. I don''t think #1 above is what happened to me - I''ve tried with a completely new client. I must emphasize that apart from the CA''s certificate, I''m not seeing anything under ''puppet cert --list --all''. Is there any debug flag I can enable to provide debug output on the master for the signing process? Y. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-17 19:33 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
[ ... ]> Well, that at least narrows it down. The master is not recognizing the > client''s certificate-signing request, or is refusing to service it. Does > the master already have a signed certificate for this client (or at least > one bearing the requested certname)? "puppet cert list --all" should tell > you. >There are no other certificates for this new system. I checked recursively in the ssl directory, just to be sure.> If so, then there are two possibilities: > (1) the master signed the current client''s current certificate, but is > refusing to serve up the signed certificate. This seems unlikely to me, > but it cannot be altogether discounted. >Not the case.> (2) the signed certificate does not correspond to the certificate-signing > request currently being presented by the agent (maybe it is an old cert > signed for a different machine with the same name), so the master refuses > to provide it to the agent. > > If (2) applies, then you should revoke then remove the old cert via > "puppet cert", then try again to connect the agent. >> > Alternatively, is there any chance you have multiple copies of the master > installed? (Maybe one via RPM and a separate one via gem?) If that''s the > case, then perhaps the master the agent is talking to is different from the > one that comes first in your shell''s executable path. That could wreak all > sorts of havoc, including misleading you about the relevant certs and CSRs. >There is only one master running, one agent: 1149 ? S 1:19 Passenger RackApp: /etc/puppet/rack/puppetmasterd 6946 ? Ss 0:03 /usr/local/bin/ruby /usr/local/bin/puppet agent What strikes me as odd is this is a fresh system that was installed; there''s nothing particularly special about it, other than it''s CentOS 6.x versus CentOS 5.x which are most of the others. It seems one other person posted here who is experiencing similar problems. What I''m willing to do, as a test case, is configure to new VMs and try a proof-of-bug-or-concept with this. The setup will be simple, one master and one agent; the cert request should be accepted and then manually signed. Though, I think my present configuration is simple enough. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-17 20:55 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I''m seeing this error in the logs: Jul 17 16:37:17 server puppet-agent[17835]: (/File[/var/lib/puppet/lib]) Could not evaluate: Could not retrieve information from environment production source(s) puppet:/server.ourdomain.com/plugins But I don''t believe this is connected to the aforementioned problem. This was a 2.x system upgraded to 3.x. We went through the painful allow vs allow_ip issue, and everything seems to be working. I did a diff of the GIT puppet repository conf/auth.conf and ours is identical. The only difference we have presently (until I rewrite a bunch of stuff) is in fileserver.conf: [files] path /etc/puppet/files # allow * allow_ip 10.101.0.0/24 allow_ip 10.103.0.0/24 We have a bunch of stuff we replicate from that location; again, it seems to be working fine for the older clients. I also verified that the output of "puppet master --configprint=certname" indeed matches the "servername" variable in our puppet.conf file(s). -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-17 21:08 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Wednesday, July 17, 2013 2:33:22 PM UTC-5, Forrie wrote:> > > > [ ... ] >> Well, that at least narrows it down. The master is not recognizing the >> client''s certificate-signing request, or is refusing to service it. Does >> the master already have a signed certificate for this client (or at least >> one bearing the requested certname)? "puppet cert list --all" should tell >> you. >> > > There are no other certificates for this new system. I checked > recursively in the ssl directory, just to be sure. > > >> If so, then there are two possibilities: >> (1) the master signed the current client''s current certificate, but is >> refusing to serve up the signed certificate. This seems unlikely to me, >> but it cannot be altogether discounted. >> > > Not the case. > > >> (2) the signed certificate does not correspond to the certificate-signing >> request currently being presented by the agent (maybe it is an old cert >> signed for a different machine with the same name), so the master refuses >> to provide it to the agent. >> >> If (2) applies, then you should revoke then remove the old cert via >> "puppet cert", then try again to connect the agent. >> > > >> >> Alternatively, is there any chance you have multiple copies of the master >> installed? (Maybe one via RPM and a separate one via gem?) If that''s the >> case, then perhaps the master the agent is talking to is different from the >> one that comes first in your shell''s executable path. That could wreak all >> sorts of havoc, including misleading you about the relevant certs and CSRs. >> > > There is only one master running, one agent: > > 1149 ? S 1:19 Passenger RackApp: > /etc/puppet/rack/puppetmasterd > 6946 ? Ss 0:03 /usr/local/bin/ruby /usr/local/bin/puppet agent >Were I you, I would shut down the puppet agent on the master''s system, and test only with a separate client until you get things sorted out.> > What strikes me as odd is this is a fresh system that was installed; > there''s nothing particularly special about it, other than it''s CentOS 6.x > versus CentOS 5.x which are most of the others. It seems one other person > posted here who is experiencing similar problems. >I still say the problem is more likely with the master than with the agent. My working hypothesis is that when you upgraded the master to v3.2 you broke its certificate-signing functionality. Supposing that the master''s CA certificate was carried over during the upgrade, clients that already have certificates don''t need new certs, so they continue to work. (And if the CA cert had not been carried over then all existing clients would have needed new certs.) New clients do need signed certs before they can retrieve catalogs, however, so the clients you are trying to deploy now do not work. By this logic, no new client deployment will work against this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or even Puppet3/Cent5. It is therefore irrelevant how similar your new client systems are to the ones already in operation. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-17 21:24 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
> I still say the problem is more likely with the master than with the > agent. My working hypothesis is that when you upgraded the master to v3.2 > you broke its certificate-signing functionality. Supposing that the > master''s CA certificate was carried over during the upgrade, clients that > already have certificates don''t need new certs, so they continue to work. > (And if the CA cert had not been carried over then all existing clients > would have needed new certs.) New clients do need signed certs before they > can retrieve catalogs, however, so the clients you are trying to deploy now > do not work. By this logic, no new client deployment will work against > this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or even > Puppet3/Cent5. It is therefore irrelevant how similar your new client > systems are to the ones already in operation. >Curious, how could I break the CA certificate-signing functionality by upgrading? Wouldn''t that be a bug in the upgrade process? I can install a fresh version of Puppet and see if that works - but, I have too many nodes and thus I need to retain the current certificates that are signed. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-17 21:32 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Wednesday, July 17, 2013 12:25:18 PM UTC-5, Yaniv Kaul wrote:> > > How do I verify if multiple copies are installed? >I would suggest using the ''find'' command on the master to look for files and directories named ''puppet''. Make sure all the results belong to the same Puppet install. In your case you might pass their full names to "rpm -q -f" to verify that they all come from one or another of your installed RPMs. I don''t know whether Forrie installed from RPM; if not, then that part of it will need to be different for him.> I''m using Foreman to manage the puppet master on the same host, but I > don''t think it has caused any issues. I don''t think #1 above is what > happened to me - I''ve tried with a completely new client. > I must emphasize that apart from the CA''s certificate, I''m not seeing > anything under ''puppet cert --list --all''. > Is there any debug flag I can enable to provide debug output on the master > for the signing process? > >If you are running the master as a standalone daemon (i.e. using its built-in "webrick" server) then you should be able to start it as puppet master --debug to enable debug logging. If you are running the master under Passenger, then you may be able to turn on debug logging by modifying your config.ru file to pass the --debug option to the master. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-17 22:06 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Wednesday, July 17, 2013 4:24:13 PM UTC-5, Forrie wrote:> > > I still say the problem is more likely with the master than with the >> agent. My working hypothesis is that when you upgraded the master to v3.2 >> you broke its certificate-signing functionality. Supposing that the >> master''s CA certificate was carried over during the upgrade, clients that >> already have certificates don''t need new certs, so they continue to work. >> (And if the CA cert had not been carried over then all existing clients >> would have needed new certs.) New clients do need signed certs before they >> can retrieve catalogs, however, so the clients you are trying to deploy now >> do not work. By this logic, no new client deployment will work against >> this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or even >> Puppet3/Cent5. It is therefore irrelevant how similar your new client >> systems are to the ones already in operation. >> > > Curious, how could I break the CA certificate-signing functionality by > upgrading? Wouldn''t that be a bug in the upgrade process? >In principle, the upgrade could break certificate signing any number of ways. Whether such an event would constitute a bug depends in part on whether yours was a supported upgrade path, but in any event, you cannot discount bugs. You haven''t said how your Puppet master was installed originally or how it was upgraded. You did originally say that your agents were installed as gems, and a recent message added the information that one of those agents is on the same system as the master, so I suppose that the master is provided as part of the same gem. But wait. You said that the problematic agents were on new-built systems. Have you then transferred the master to a new / rebuilt host as part of this process? (What could possibly go wrong?) Alternatively, I didn''t notice you responding to the possibility that you have two separate Puppet installs. Did you check? John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-17 22:31 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I do not have separate Puppet installs. At the moment, it''s been installed via the Gem, so the master and agent are coming from the same code, running on the original host (it was not rebuilt). It is running under Passenger/Apache, presently. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Yaniv Kaul
2013-Jul-18 08:21 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Thursday, July 18, 2013 12:32:22 AM UTC+3, jcbollinger wrote:> > > On Wednesday, July 17, 2013 12:25:18 PM UTC-5, Yaniv Kaul wrote: >> >> >> How do I verify if multiple copies are installed? >> > > > I would suggest using the ''find'' command on the master to look for files > and directories named ''puppet''. Make sure all the results belong to the > same Puppet install. In your case you might pass their full names to "rpm > -q -f" to verify that they all come from one or another of your installed > RPMs. I don''t know whether Forrie installed from RPM; if not, then that > part of it will need to be different for him. > > > >> I''m using Foreman to manage the puppet master on the same host, but I >> don''t think it has caused any issues. I don''t think #1 above is what >> happened to me - I''ve tried with a completely new client. >> I must emphasize that apart from the CA''s certificate, I''m not seeing >> anything under ''puppet cert --list --all''. >> Is there any debug flag I can enable to provide debug output on the >> master for the signing process? >> >> > If you are running the master as a standalone daemon (i.e. using its > built-in "webrick" server) then you should be able to start it as > > puppet master --debug > > to enable debug logging. If you are running the master under Passenger, > then you may be able to turn on debug logging by modifying your config.rufile to pass the --debug option to the master. > > > John > >I''ve added debug to my config.ru and suddenly everything works - clients happily register. I''m not sure if I should be happy or sad, keep the debug or remove it... Y. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
jcbollinger
2013-Jul-18 14:39 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
On Wednesday, July 17, 2013 5:31:47 PM UTC-5, Forrie wrote:> > I do not have separate Puppet installs. At the moment, it''s been > installed via the Gem, so the master and agent are coming from the same > code, running on the original host (it was not rebuilt). It is running > under Passenger/Apache, presently. > >Then I''m sorry, I can''t follow this. The description of the problem is either too inconsistent or too fragmented. Fresh installs of Puppet are not known to exhibit the problem you describe, so the issue must have arisen through the upgrade. Since you''re using gem, perhaps you have a compatibility problem among the set of gems currently installed. Or back to basics: you DID restart apache/passenger after upgrading the master, right? If I am to have any hope of being able to do anything further for you, however, then I need a detailed timeline of what was done to Puppet on your site, starting from "everything is running great on Puppet 2.7 / CentOS 5" (or whatever), including which systems were (re)built, what OS and Puppet versions were used, and what problems were observed on which systems. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-18 19:16 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I upgraded our Puppet master to 3.x a while ago, after the file access issues (allow_ip, etc.) were fixed. I didn''t actually test connection of a new client until this past week - where the others are running 2.x agent code and working. Here are the gems I have presently: builder (3.2.2) daemon_controller (1.1.4) facter (1.7.2) fastthread (1.0.7) fcgi (0.9.1) ffi (1.9.0) hiera (1.2.1) json (1.8.0) json_pure (1.8.0) libvirt-ruby (1.0.2) passenger (4.0.8) puppet (3.2.3) puppet-lint (0.3.2) puppet-module (0.3.4) rack (1.5.2) rack-protection (1.5.0) rake (10.1.0) rgen (0.6.5) rubygems-update (2.0.5) sinatra (1.4.3) sqlite3 (1.3.7) sqlite3-ruby (1.3.3) stomp (1.2.10) tilt (1.4.1) tzinfo (1.0.1) zonefile (1.04) Now, I could re-install the Puppet 3.x code and see if that resolves the problem. I need to be very careful, as I have many 2.x agents that still require the Puppet master running -- so, if I uninstall the gem, then check to see if the directory and /usr/local/bin copies are removed, reinstall and re-run the master and see what happens. I presume /var/lib/puppet doesn''t need to be touched in this case, as it''s local data. Yes, of course the master that''s running Puppet under Passenger (4.0.8) has been restarted multiple times, in the effort to continue debugging this. Though, I note the post above that mentions adding debug to config.ru - which I''m puzzled by. I suppose I could back-out the Passenger process altogether and run a standard Puppet master and see if the problem persists, also. Thanks! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-18 19:21 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Actually, with the improvements to Puppet 3.x, I wonder if it''s really necessary to run Puppet under Passenger anymore... we have less than 100 hosts, but that could change. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-19 19:58 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I did some poking around and I think I found a better hint as to what may be the issue (feel free to confirm). in /etc/puppet/auth.conf, I had: # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * But the installation has "certificate_requests" (corrected). Next, I see the actual requests are being cached in: /var/lib/puppet/ssl/ca/requests which I believe is wrong for 3.x... ? There is one outstanding request in there from another machine I accessed a while ago. For sake of clarity, here is the complete content of my auth.conf file, which until recently hasn''t been changed since the initial installation: path ~ ^/catalog/([^/]+)$ method find allow $1 path ~ ^/node/([^/]+)$ method find allow $1 path /certificate_revocation_list/ca method find allow * path ~ ^/report/([^/]+)$ method save allow $1 path /file allow * path /certificate/ca auth any method find allow * path /certificate/ auth any method find allow * path /certificate_requests auth any method find, save allow * path / auth any The auth.conf on the client: path /run auth any method save allow our.serverdomain.com path / auth any I''m going to keep looking, but I wonder if I''m close to figuring this out...... Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-19 20:04 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Output from puppet config print for SSL configs: cacert = /var/lib/puppet/ssl/ca/ca_crt.pem cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem cadir = /var/lib/puppet/ssl/ca cakey = /var/lib/puppet/ssl/ca/ca_key.pem capass = /var/lib/puppet/ssl/ca/private/ca.pass caprivatedir = /var/lib/puppet/ssl/ca/private capub = /var/lib/puppet/ssl/ca/ca_pub.pem cert_inventory = /var/lib/puppet/ssl/ca/inventory.txt certdir = /var/lib/puppet/ssl/certs csrdir = /var/lib/puppet/ssl/ca/requests hostcert = /var/lib/puppet/ssl/certs/central.de-prod.harvard.edu.pem hostcrl = /var/lib/puppet/ssl/crl.pem hostcsr = /var/lib/puppet/ssl/csr_central.de-prod.harvard.edu.pem hostprivkey = /var/lib/puppet/ssl/private_keys/central.de-prod.harvard.edu.pem hostpubkey = /var/lib/puppet/ssl/public_keys/central.de-prod.harvard.edu.pem ldapssl = false localcacert = /var/lib/puppet/ssl/certs/ca.pem passfile = /var/lib/puppet/ssl/private/password privatedir = /var/lib/puppet/ssl/private privatekeydir = /var/lib/puppet/ssl/private_keys publickeydir = /var/lib/puppet/ssl/public_keys requestdir = /var/lib/puppet/ssl/certificate_requests serial = /var/lib/puppet/ssl/ca/serial signeddir = /var/lib/puppet/ssl/ca/signed ssl_client_ca_auth ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_server_ca_auth ssldir = /var/lib/puppet/ssl -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-19 20:05 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Output of puppet config print for SSL : cacert = /var/lib/puppet/ssl/ca/ca_crt.pem cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem cadir = /var/lib/puppet/ssl/ca cakey = /var/lib/puppet/ssl/ca/ca_key.pem capass = /var/lib/puppet/ssl/ca/private/ca.pass caprivatedir = /var/lib/puppet/ssl/ca/private capub = /var/lib/puppet/ssl/ca/ca_pub.pem cert_inventory = /var/lib/puppet/ssl/ca/inventory.txt certdir = /var/lib/puppet/ssl/certs csrdir = /var/lib/puppet/ssl/ca/requests hostcert = /var/lib/puppet/ssl/certs/ourserver.domain.com.pem hostcrl = /var/lib/puppet/ssl/crl.pem hostcsr = /var/lib/puppet/ssl/csr_ourserver.domain.com.pem hostprivkey = /var/lib/puppet/ssl/private_keys/ourserver.domain.com.pem hostpubkey = /var/lib/puppet/ssl/public_keys/ourserver.domain.com.pem ldapssl = false localcacert = /var/lib/puppet/ssl/certs/ca.pem passfile = /var/lib/puppet/ssl/private/password privatedir = /var/lib/puppet/ssl/private privatekeydir = /var/lib/puppet/ssl/private_keys publickeydir = /var/lib/puppet/ssl/public_keys requestdir = /var/lib/puppet/ssl/certificate_requests serial = /var/lib/puppet/ssl/ca/serial signeddir = /var/lib/puppet/ssl/ca/signed ssl_client_ca_auth ssl_client_header = HTTP_X_CLIENT_DN ssl_client_verify_header = HTTP_X_CLIENT_VERIFY ssl_server_ca_auth ssldir = /var/lib/puppet/ssl -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-19 20:54 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I suppose I could just "start all over" and run through the systems and have them signed. The configurations I have there will still work for the manifests (which I''ve not converted to proper modules yet). This is probably an option. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-19 22:50 UTC
[Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I spent the afternoon re-doing my puppet master, tested it with just 2 new clients and I got the same exact problem. I restored my old /var/lib/puppet so that other agents can work. This is either a bug in Puppet itself or a bizarre configuration issue. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Cory Stoker
2013-Jul-22 02:24 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Not exactly sure if you tried this but I would added --debug to your config.ru and then tail the logs on the puppetmaster. Clear out of client SSL dir on the agent to start from scratch and make sure the master does not have any leftover files from your client. config.ru with debug: $0 = "master" ARGV << "--rack" ARGV << "--confdir" << "/etc/puppet" ARGV << "--vardir" << "/var/lib/puppet" ARGV << "--debug" require ''puppet/util/command_line'' run Puppet::Util::CommandLine.new.execute These logs are from a good client certificate signing: puppet-master[6853]: Handling request: GET /server/certificate_request/mypuppetclient.example.com puppet-master[6853]: Could not find certificate_request for ''mypuppetclient.example.com'' puppet-master[8243]: Handling request: PUT /server/certificate_request/mypuppetclient.example.com puppet-master[8243]: mypuppetclient.example.com has a waiting certificate request puppet-master[8243]: Signed certificate request for mypuppetclient.example.com puppet-master[8243]: Removing file Puppet::SSL::CertificateRequest mypuppetclient.example.com at ''/var/lib/puppet/ssl/ca/requests/mypuppetclient.example.com.pem'' puppet-master[8243]: Handling request: GET /server/certificate/mypuppetclient.example.com HTH -Cory On Fri, Jul 19, 2013 at 4:50 PM, Forrie <forrie@gmail.com> wrote:> I spent the afternoon re-doing my puppet master, tested it with just 2 new > clients and I got the same exact problem. I restored my old > /var/lib/puppet so that other agents can work. > > This is either a bug in Puppet itself or a bizarre configuration issue. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-22 19:19 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Adding --debug to the config.ru didn''t provide any real info -- not sure why, but the client continued to connect and I see this in the log: 10.101.0.10 - - [22/Jul/2013:15:11:15 -0400] "GET /production/certificate/machine.ourdomain.com? HTTP/1.1" 404 62 "-" "-" and nothing is returned. I''m wondering if there is a permissions problem. I can''t imagine, as I''ve never touched it. If I remove all the client SSL certs (backing them up), I presume I would really need to start over again -- that would require going to each client and removing the /var/lib/puppet directory and going through the setup process again. I''m willing to do that, at this point, since I''m not really getting anywhere figuring out what the problem is here. I just want to make sure I do this properly. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Yaniv Kaul
2013-Jul-22 20:17 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I''d also disable or move to permissive selinux. Y. On Monday, July 22, 2013 10:19:35 PM UTC+3, Forrie wrote:> > Adding --debug to the config.ru didn''t provide any real info -- not sure > why, but the client continued to connect and I see this in the log: > > 10.101.0.10 - - [22/Jul/2013:15:11:15 -0400] "GET /production/certificate/ > machine.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > > and nothing is returned. > > I''m wondering if there is a permissions problem. I can''t imagine, as I''ve > never touched it. > > If I remove all the client SSL certs (backing them up), I presume I would > really need to start over again -- that would require going to each client > and removing the /var/lib/puppet directory and going through the setup > process again. > > I''m willing to do that, at this point, since I''m not really getting > anywhere figuring out what the problem is here. I just want to make sure I > do this properly. > > > Thanks. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-22 20:58 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
I don''t have selinux enabled on this system. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-23 19:23 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
When I try to connect a new client to this problematic Puppet Master, here''s what I see in the log: 10.103.0.3 - - [23/Jul/2013:15:15:27 -0400] "GET /production/certificate/ca? HTTP/1.1" 200 1915 "-" "-" 10.103.0.3 - - [23/Jul/2013:15:15:27 -0400] "GET /production/certificate/new-server.domain.com? HTTP/1.1" 404 59 "-" "-" But in auth.conf, it appears to be correct: path /certificate/ca auth any method find allow * HTTP 404 = not found so, somewhere in this process, the Master is refusing to generate certs. I''ve checked the directories and permissions and I cannot see a problem there. Likewise, my auth.conf is permissive. It looks like I''m just going to have to start all over again - going through each client manually -- I don''t look forward to this at all. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Keith Burdis
2013-Jul-24 07:23 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
When having problems like this it is often a good idea to shut down the Apache web server and run: # puppet master --debug from a console instead. If that works then your Puppet setup is okay and you should look at your web server and passenger config. - Keith On 18 Jul 2013 20:21, "Forrie" <forrie@gmail.com> wrote:> Actually, with the improvements to Puppet 3.x, I wonder if it''s really > necessary to run Puppet under Passenger anymore... we have less than 100 > hosts, but that could change. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscribe@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users. > For more options, visit https://groups.google.com/groups/opt_out. > > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-24 17:57 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
The only response to puppet master --debug in the log is : Info: Could not find certificate for ''ourmachine.domain.com'' And there is no reference to this system in the master''s content under /var/lib/puppet. So it would seem that whatever mechanism that accepts CA requests and creation is borked... ? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-24 18:03 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Now this is really strange. I removed /var/lib/puppet on the client side and manually did a puppet agent test while doing a "command line" puppet test on the master and I got: Info: Could not find certificate for ''ourserver.ourdomain.com'' Info: Could not find certificate_request for ''ourserver.ourdomain.com'' Notice: ourserver.ourdomain.com has a waiting certificate request Notice: Signed certificate request for ourserver.ourdomain.com Notice: Removing file Puppet::SSL::CertificateRequest ourserver.ourdomain.com at ''/var/lib/puppet/ssl/ca/requests/ourserver.domain.com.pem'' Info: Caching node for ourserver.ourdomain.com Now I am suspicious that there is a problem with "rack". My config.ru is based on what is in the latest puppet docs: $0 = "master" # ARGV << "--debug" ARGV << "--confdir" << "/etc/puppet" ARGV << "--vardir" << "/var/lib/puppet" ARGV << "--rack" require ''puppet/application/master'' run Puppet::Application[:master].run And I have no idea if/how/why this would affect Certs. Still going to have to look into this. OR, I can just ditch Passenger and go back to running Puppet by itself. We have 40 hosts, so I don''t think I''ll miss Passenger, or having to update the *.conf every time there''s an update. Thoughts? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-24 18:20 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
When I updated the config.ru to what''s in GIT for puppet, I get a slew of crap errors that lists the library content for puppet. Here''s what is in GIT now: # a config.ru, for use with every rack-compatible webserver. # SSL needs to be handled outside this, though. # if puppet is not in your RUBYLIB: # $LOAD_PATH.unshift(''/opt/puppet/lib'') $0 = "master" # if you want debugging: # ARGV << "--debug" ARGV << "--rack" # Rack applications typically don''t start as root. Set --confdir and --vardir # to prevent reading configuration from ~puppet/.puppet/puppet.conf and writing # to ~puppet/.puppet ARGV << "--confdir" << "/etc/puppet" ARGV << "--vardir" << "/var/lib/puppet" # NOTE: it''s unfortunate that we have to use the "CommandLine" class # here to launch the app, but it contains some initialization logic # (such as triggering the parsing of the config file) that is very # important. We should do something less nasty here when we''ve # gotten our API and settings initialization logic cleaned up. # # Also note that the "$0 = master" line up near the top here is # the magic that allows the CommandLine class to know that it''s # supposed to be running master. # # --cprice 2012-05-22 require ''puppet/util/command_line'' # we''re usually running inside a Rack::Builder.new {} block, # therefore we need to call run *here*. run Puppet::Util::CommandLine.new.execute I think I''m done with Passenger, as it''s been nothing but a headache since I started using it. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Forrie
2013-Jul-25 19:56 UTC
Re: [Puppet Users] Re: 3.2.2 on CentOS 6.3, and "Did not receive certificate"
Having read through more threads, I ran across an article that pointed out the permissions and ownership of config.ru needed to be owned by puppet:puppet. I changed this and now everything is working. I''m royally annoyed, because nowhere in these logs (either via Puppet or Passenger) was this logged. Seems like a real no-brainer. Bug report. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.