Puppet users - Jul 2013 - 3.2.2 on CentOS 6.3, and "Did not receive certificate"

I''m having a perplexing problem with Puppet 3.2.2 (agent) on CentOS
6.3.
There are two systems, recently built, that exhibit the same problem.  
I''m
using the same, very basic and simple config I have on all of my systems 
(most of which are CentOS 5).  This system has its own ruby and puppet 
installation (gem), which is the only real difference.

Basically, I can''t get the master to generate a certificate.   I can
telnet
to the puppet inbound port, no problem.

here''s what I see:

[ puppet master log ]
10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET 
/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 
62 "-" "-"
10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET 
/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 
62 "-" "-"

[ puppet client log / debug, no-daemonize ]

Debug: Finishing transaction 69955790206320
Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
Info: Caching certificate for ca
Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Notice: Did not receive certificate


I''ve Googled around for this error, but I don''t see a solution
to my issue
-- I wonder if I''m missing a ruby gem, or if there is generally
something
wrong with running this on CentOS 6 (that would be odd).   

I have tried completely removing /var/lib/puppet on the agent and starting 
over, that has no effect.

The puppet.conf I''m using on all my systems:


[main]
        server = my-server.name.com

        vardir = /var/lib/puppet

        logdir = /var/log/puppet

        rundir = /var/run/puppet

        ssldir = $vardir/ssl

[agent]

        classfile = $vardir/classes.txt

        localconfig = $vardir/localconfig

        syslogfacility = local4

        report = true

        listen = true


Am I missing something?   Granted, the older clients are running 2.7.x, so 
perhaps I''ve missed something in the upgrade docs and I need to add to
the
*.conf file.   The master server is running Puppet 3.2.2 under Passenger 
4.0.8, all the other clients are connecting just fine.   Iptables is not a 
factor here, either.


Thanks.




-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

You should be running puppet version 2 clients with puppetmaster version 2.
You should be running puppet version 3 clients with puppetmaster version 3.


On Thu, Jul 11, 2013 at 11:41 AM, Forrie <forrie@gmail.com> wrote:
> I''m having a perplexing problem with Puppet 3.2.2 (agent) on
CentOS
> 6.3.    There are two systems, recently built, that exhibit the same
> problem.   I''m using the same, very basic and simple config I have
on all
> of my systems (most of which are CentOS 5).  This system has its own ruby
> and puppet installation (gem), which is the only real difference.
>
> Basically, I can''t get the master to generate a certificate.   I
can
> telnet to the puppet inbound port, no problem.
>
> here''s what I see:
>
> [ puppet master log ]
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
>
> [ puppet client log / debug, no-daemonize ]
>
> Debug: Finishing transaction 69955790206320
> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
> Info: Caching certificate for ca
> Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Notice: Did not receive certificate
>
>
> I''ve Googled around for this error, but I don''t see a
solution to my issue
> -- I wonder if I''m missing a ruby gem, or if there is generally
something
> wrong with running this on CentOS 6 (that would be odd).
>
> I have tried completely removing /var/lib/puppet on the agent and starting
> over, that has no effect.
>
> The puppet.conf I''m using on all my systems:
>
>
> [main]
>         server = my-server.name.com
>
>         vardir = /var/lib/puppet
>
>         logdir = /var/log/puppet
>
>         rundir = /var/run/puppet
>
>         ssldir = $vardir/ssl
>
> [agent]
>
>         classfile = $vardir/classes.txt
>
>         localconfig = $vardir/localconfig
>
>         syslogfacility = local4
>
>         report = true
>
>         listen = true
>
>
> Am I missing something?   Granted, the older clients are running 2.7.x, so
> perhaps I''ve missed something in the upgrade docs and I need to
add to the
> *.conf file.   The master server is running Puppet 3.2.2 under Passenger
> 4.0.8, all the other clients are connecting just fine.   Iptables is not a
> factor here, either.
>
>
> Thanks.
>
>
>
>
>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

The CentOS systems I built are 3.2.2 and the master is 3.2.2.   the older 
clients are working fine - they are being upgraded, once I solve this issue.



On Thursday, July 11, 2013 2:44:58 PM UTC-4, Dan wrote:
>
> You should be running puppet version 2 clients with puppetmaster version 2.
> You should be running puppet version 3 clients with puppetmaster version 3.
>
>
> On Thu, Jul 11, 2013 at 11:41 AM, Forrie <for...@gmail.com
<javascript:>>wrote:
>
>> I''m having a perplexing problem with Puppet 3.2.2 (agent) on
CentOS
>> 6.3.    There are two systems, recently built, that exhibit the same 
>> problem.   I''m using the same, very basic and simple config I
have on all
>> of my systems (most of which are CentOS 5).  This system has its own
ruby
>> and puppet installation (gem), which is the only real difference.
>>
>> Basically, I can''t get the master to generate a certificate.  
I can
>> telnet to the puppet inbound port, no problem.
>>
>> here''s what I see:
>>
>> [ puppet master log ]
>> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
>> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62
"-" "-"
>> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
>> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62
"-" "-"
>>
>> [ puppet client log / debug, no-daemonize ]
>>
>> Debug: Finishing transaction 69955790206320
>> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
>> Info: Caching certificate for ca
>> Info: Caching certificate_request for
de-prod-archive.de-prod.harvard.edu
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Notice: Did not receive certificate
>>
>>
>> I''ve Googled around for this error, but I don''t see a
solution to my
>> issue -- I wonder if I''m missing a ruby gem, or if there is
generally
>> something wrong with running this on CentOS 6 (that would be odd).   
>>
>> I have tried completely removing /var/lib/puppet on the agent and 
>> starting over, that has no effect.
>>
>> The puppet.conf I''m using on all my systems:
>>
>>
>> [main]
>>         server = my-server.name.com
>>
>>         vardir = /var/lib/puppet
>>
>>         logdir = /var/log/puppet
>>
>>         rundir = /var/run/puppet
>>
>>         ssldir = $vardir/ssl
>>
>> [agent]
>>
>>         classfile = $vardir/classes.txt
>>
>>         localconfig = $vardir/localconfig
>>
>>         syslogfacility = local4
>>
>>         report = true
>>
>>         listen = true
>>
>>
>> Am I missing something?   Granted, the older clients are running 2.7.x,
>> so perhaps I''ve missed something in the upgrade docs and I
need to add to
>> the *.conf file.   The master server is running Puppet 3.2.2 under 
>> Passenger 4.0.8, all the other clients are connecting just fine.  
Iptables
>> is not a factor here, either.
>>
>>
>> Thanks.
>>
>>
>>
>>
>>  -- 
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to puppet-users...@googlegroups.com <javascript:>.
>> To post to this group, send email to
puppet...@googlegroups.com<javascript:>
>> .
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>  
>>  
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On 12/07/2013 4:45 AM, "kegstand" <kegstand@gmail.com>
wrote:
>
> You should be running puppet version 2 clients with puppetmaster version
2.
> You should be running puppet version 3 clients with puppetmaster version
3.

Actually puppet 2.x nodes will talk to a puppet 3.x master.
As long as the puppet master is equal or higher version it should just work.
>
> On Thu, Jul 11, 2013 at 11:41 AM, Forrie <forrie@gmail.com> wrote:
>>
>> I''m having a perplexing problem with Puppet 3.2.2 (agent) on
CentOS
6.3.    There are two systems, recently built, that exhibit the same
problem.   I''m using the same, very basic and simple config I have on
all
of my systems (most of which are CentOS 5).  This system has its own ruby
and puppet installation (gem), which is the only real
difference.
>>
>> Basically, I can''t get the master to generate a certificate.  
I can
telnet to the puppet inbound port, no problem.
>>
>> here''s what I see:
>>
>> [ puppet master log ]
>> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404
62 "-" "-"
>> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404
62 "-" "-"
>>
>> [ puppet client log / debug, no-daemonize ]
>>
>> Debug: Finishing transaction 69955790206320
>> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
>> Info: Caching certificate for ca
>> Info: Caching certificate_request for
de-prod-archive.de-prod.harvard.edu
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Notice: Did not receive certificate
>>
>>
>> I''ve Googled around for this error, but I don''t see a
solution to my
issue -- I wonder if I''m missing a ruby gem, or if there is generally
something wrong with running this on CentOS 6 (that would be
odd).
>>
>> I have tried completely removing /var/lib/puppet on the agent and
starting over, that has no effect.
>>
>> The puppet.conf I''m using on all my systems:
>>
>>
>> [main]
>>         server = my-server.name.com
>>
>>         vardir = /var/lib/puppet
>>
>>         logdir = /var/log/puppet
>>
>>         rundir = /var/run/puppet
>>
>>         ssldir = $vardir/ssl
>>
>> [agent]
>>
>>         classfile = $vardir/classes.txt
>>
>>         localconfig = $vardir/localconfig
>>
>>         syslogfacility = local4
>>
>>         report = true
>>
>>         listen = true
>>
>>
>> Am I missing something?   Granted, the older clients are running 2.7.x,
so perhaps I''ve missed something in the upgrade docs and I need to add
to
the *.conf file.   The master server is running Puppet 3.2.2 under
Passenger 4.0.8, all the other clients are connecting just fine.   Iptables
is not a factor here, either.
>>
>>
>> Thanks.
>>
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an email to puppet-users+unsubscribe@googlegroups.com.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>>
>
>
> --
> You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Thursday, July 11, 2013 9:41:26 PM UTC+3, Forrie wrote:
> I''m having a perplexing problem with Puppet 3.2.2 (agent) on
CentOS
> 6.3.    There are two systems, recently built, that exhibit the same 
> problem.   I''m using the same, very basic and simple config I have
on all
> of my systems (most of which are CentOS 5).  This system has its own ruby 
> and puppet installation (gem), which is the only real difference.
>
> Basically, I can''t get the master to generate a certificate.   I
can
> telnet to the puppet inbound port, no problem.
>
> here''s what I see:
>
> [ puppet master log ]
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
>
> [ puppet client log / debug, no-daemonize ]
>
> Debug: Finishing transaction 69955790206320
> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
> Info: Caching certificate for ca
> Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Notice: Did not receive certificate
>
>
> I''ve Googled around for this error, but I don''t see a
solution to my issue
> -- I wonder if I''m missing a ruby gem, or if there is generally
something
> wrong with running this on CentOS 6 (that would be odd).   
>
> I have tried completely removing /var/lib/puppet on the agent and starting 
> over, that has no effect.
>
> The puppet.conf I''m using on all my systems:
>
>
> [main]
>         server = my-server.name.com
>
>         vardir = /var/lib/puppet
>
>         logdir = /var/log/puppet
>
>         rundir = /var/run/puppet
>
>         ssldir = $vardir/ssl
>
> [agent]
>
>         classfile = $vardir/classes.txt
>
>         localconfig = $vardir/localconfig
>
>         syslogfacility = local4
>
>         report = true
>
>         listen = true
>
>
> Am I missing something?   Granted, the older clients are running 2.7.x, so 
> perhaps I''ve missed something in the upgrade docs and I need to
add to the
> *.conf file.   The master server is running Puppet 3.2.2 under Passenger 
> 4.0.8, all the other clients are connecting just fine.   Iptables is not a 
> factor here, either.
>
>
> Thanks.
>
>
>
>
>
I have exactly the same issue, on CentOS 6.4. Packages:
[root@foreman ~]# rpm -qa |grep puppet
puppet-3.2.2-1.el6.noarch
puppet-server-3.2.2-1.el6.noarch
ruby193-puppet-3.1.1-6.el6.noarch
puppetlabs-release-6-7.noarch


I''m unsure how I debug this on the master side. tcpdump shows SSL 
connection between the client and the server taking place, but that''s
about
it.
Y.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Thursday, July 11, 2013 1:41:26 PM UTC-5, Forrie
wrote:
>
> I''m having a perplexing problem with Puppet 3.2.2 (agent) on
CentOS
> 6.3.    There are two systems, recently built, that exhibit the same 
> problem.   I''m using the same, very basic and simple config I have
on all
> of my systems (most of which are CentOS 5).  This system has its own ruby 
> and puppet installation (gem), which is the only real difference.
>

I urge you to avoid using gem to manage packages on any system that has a 
decent native package manager (such as CentOS 6.3).  It constitutes a basic 
system management problem to have multiple package managers with 
overlapping areas of responsibility.

Have you considered using the RHEL/CentOS/etc. RPMs packaged by 
PuppetLabs?  PL maintains its own yum repository to make this easy; see 
http://docs.puppetlabs.com/guides/puppetlabs_package_repositories.html.

 
>
> Basically, I can''t get the master to generate a certificate.   I
can
> telnet to the puppet inbound port, no problem.
>
> here''s what I see:
>
> [ puppet master log ]
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
> 10.101.0.10 - - [11/Jul/2013:14:30:50 -0400] "GET
/production/certificate/
> de-prod-archive.de-prod.harvard.edu? HTTP/1.1" 404 62 "-"
"-"
>
> [ puppet client log / debug, no-daemonize ]
>
> Debug: Finishing transaction 69955790206320
> Info: Creating a new SSL key for de-prod-archive.de-prod.harvard.edu
> Info: Caching certificate for ca
> Info: Caching certificate_request for de-prod-archive.de-prod.harvard.edu
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Debug: Using cached certificate for ca
> Notice: Did not receive certificate
>
>
And your master is configured to autosign certificates?  Because that''s
not
the default, and you didn''t say anything about signing them manually. 
You
can check whether there are any outstanding certificate requests by running

puppet cert list

on the master.

In fact, did you recently upgrade your master to its current version?  As 
in, since the working clients were issued their certs?  If so, then perhaps 
the upgrade somehow reset the master''s certificate management
configuration
to the default of not autosigning.

 
>
> I''ve Googled around for this error, but I don''t see a
solution to my issue
> -- I wonder if I''m missing a ruby gem, or if there is generally
something
> wrong with running this on CentOS 6 (that would be odd).   
>
> I have tried completely removing /var/lib/puppet on the agent and starting 
> over, that has no effect.
>
> The puppet.conf I''m using on all my systems:
>
>
> [main]
>         server = my-server.name.com
>
>         vardir = /var/lib/puppet
>
>         logdir = /var/log/puppet
>
>         rundir = /var/run/puppet
>
>         ssldir = $vardir/ssl
>
> [agent]
>
>         classfile = $vardir/classes.txt
>
>         localconfig = $vardir/localconfig
>
>         syslogfacility = local4
>
>         report = true
>
>         listen = true
>
>
> Am I missing something?   Granted, the older clients are running 2.7.x, so 
> perhaps I''ve missed something in the upgrade docs and I need to
add to the
> *.conf file.   The master server is running Puppet 3.2.2 under Passenger 
> 4.0.8, all the other clients are connecting just fine.   Iptables is not a 
> factor here, either.
>
>
I am disinclined to think that the problem is actually at the agent.  That 
the other agents are working is not a counterindication, for the place 
where the process seems to be failing is outside the path that is 
ordinarily traversed in servicing catalog requests.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

We are not configured to auto-sign certificates.

Clearly, the client is making a connection to the master:


10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET 
/production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62
"-"
"-"
10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET 
/production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62
"-"
"-"
10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET 
/production/certificate/de-prod-archive.ourdomain.com? HTTP/1.1" 404 62
"-"
"-"

Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this 
particular agent.   I''ve tried starting clean/fresh on the agent
(removing
/var/lib/puppet) and that has no effect.   The older clients are working 
just fine.

puppet cert list, continues to not see the inbound request from this 
particular agent.    


our auth.conf certificate rules are fairly standard:

# allow access to the CA certificate; unauthenticated nodes need this
# in order to validate the puppet master''s certificate
path /certificate/ca
auth any
method find
allow *

# allow nodes to retrieve the certificate they requested earlier
path /certificate/
auth any
method find
allow *

# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *


Unless something changed between versions that I missed, I believe this 
should be working.    I even hard-coded the servername in the puppet.conf, 
which has no effect on this agent.

The logs above suggest it''s looking for the actual certificate, but I
don''t
see the request in the "puppet cert list" queue.

Very puzzled.


Thanks.




[ .. ]
>
 
> And your master is configured to autosign certificates?  Because
that''s
> not the default, and you didn''t say anything about signing them
manually.
> You can check whether there are any outstanding certificate requests by 
> running
>
> puppet cert list
>
> on the master.
>
> In fact, did you recently upgrade your master to its current version?  As 
> in, since the working clients were issued their certs?  If so, then perhaps
> the upgrade somehow reset the master''s certificate management
configuration
> to the default of not autosigning.
>
>  
>
>>
>> I''ve Googled around for this error, but I don''t see a
solution to my
>> issue -- I wonder if I''m missing a ruby gem, or if there is
generally
>> something wrong with running this on CentOS 6 (that would be odd).   
>>
>> I have tried completely removing /var/lib/puppet on the agent and 
>> starting over, that has no effect.
>>
>> The puppet.conf I''m using on all my systems:
>>
>>
>> [main]
>>         server = my-server.name.com
>>
>>         vardir = /var/lib/puppet
>>
>>         logdir = /var/log/puppet
>>
>>         rundir = /var/run/puppet
>>
>>         ssldir = $vardir/ssl
>>
>> [agent]
>>
>>         classfile = $vardir/classes.txt
>>
>>         localconfig = $vardir/localconfig
>>
>>         syslogfacility = local4
>>
>>         report = true
>>
>>         listen = true
>>
>>
>> Am I missing something?   Granted, the older clients are running 2.7.x,
>> so perhaps I''ve missed something in the upgrade docs and I
need to add to
>> the *.conf file.   The master server is running Puppet 3.2.2 under 
>> Passenger 4.0.8, all the other clients are connecting just fine.  
Iptables
>> is not a factor here, either.
>>
>>
>
> I am disinclined to think that the problem is actually at the agent.  That 
> the other agents are working is not a counterindication, for the place 
> where the process seems to be failing is outside the path that is 
> ordinarily traversed in servicing catalog requests.
>
>
> John
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Our Master (server) cert has remained intact, last installed on Nov  2 
 2011.  So I don''t believe that''s the issue.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie
wrote:
>
> We are not configured to auto-sign certificates.
>
> Clearly, the client is making a connection to the master:
>
>
> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
>
> Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this 
> particular agent.   I''ve tried starting clean/fresh on the agent
(removing
> /var/lib/puppet) and that has no effect.   The older clients are working 
> just fine.
>
> puppet cert list, continues to not see the inbound request from this 
> particular agent.    
>

Well, that at least narrows it down.  The master is not recognizing the 
client''s certificate-signing request, or is refusing to service it. 
Does
the master already have a signed certificate for this client (or at least 
one bearing the requested certname)?  "puppet cert list --all" should
tell
you.

If so, then there are two possibilities:
(1) the master signed the current client''s current certificate, but is 
refusing to serve up the signed certificate.  This seems unlikely to me, 
but it cannot be altogether discounted.
(2) the signed certificate does not correspond to the certificate-signing 
request currently being presented by the agent (maybe it is an old cert 
signed for a different machine with the same name), so the master refuses 
to provide it to the agent.

If (2) applies, then you should revoke then remove the old cert via "puppet
cert", then try again to connect the agent.

Alternatively, is there any chance you have multiple copies of the master 
installed?  (Maybe one via RPM and a separate one via gem?)  If that''s
the
case, then perhaps the master the agent is talking to is different from the 
one that comes first in your shell''s executable path.  That could wreak
all
sorts of havoc, including misleading you about the relevant certs and CSRs.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, July 17, 2013 6:00:49 PM UTC+3, jcbollinger wrote:
>
>
> On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote:
>>
>> We are not configured to auto-sign certificates.
>>
>> Clearly, the client is making a connection to the master:
>>
>>
>> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
>> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
>> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
>> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
>> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET
/production/certificate/
>> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-"
"-"
>>
>> Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this 
>> particular agent.   I''ve tried starting clean/fresh on the
agent (removing
>> /var/lib/puppet) and that has no effect.   The older clients are
working
>> just fine.
>>
>> puppet cert list, continues to not see the inbound request from this 
>> particular agent.    
>>
>
>
> Well, that at least narrows it down.  The master is not recognizing the 
> client''s certificate-signing request, or is refusing to service
it.  Does
> the master already have a signed certificate for this client (or at least 
> one bearing the requested certname)?  "puppet cert list --all"
should tell
> you.
>
> If so, then there are two possibilities:
> (1) the master signed the current client''s current certificate,
but is
> refusing to serve up the signed certificate.  This seems unlikely to me, 
> but it cannot be altogether discounted.
> (2) the signed certificate does not correspond to the certificate-signing 
> request currently being presented by the agent (maybe it is an old cert 
> signed for a different machine with the same name), so the master refuses 
> to provide it to the agent.
>
> If (2) applies, then you should revoke then remove the old cert via 
> "puppet cert", then try again to connect the agent.
>
> Alternatively, is there any chance you have multiple copies of the master 
> installed?  (Maybe one via RPM and a separate one via gem?)  If
that''s the
> case, then perhaps the master the agent is talking to is different from the
> one that comes first in your shell''s executable path.  That could
wreak all
> sorts of havoc, including misleading you about the relevant certs and CSRs.
>
>
> John
>
>
How do I verify if multiple copies are installed? I''m using Foreman to 
manage the puppet master on the same host, but I don''t think it has
caused
any issues. I don''t think #1 above is what happened to me -
I''ve tried with
a completely new client.
I must emphasize that apart from the CA''s certificate, I''m not
seeing
anything under ''puppet cert --list --all''.
Is there any debug flag I can enable to provide debug output on the master 
for the signing process?

Y. 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

[ ... ]
> Well, that at least narrows it down.  The master is not recognizing the 
> client''s certificate-signing request, or is refusing to service
it.  Does
> the master already have a signed certificate for this client (or at least 
> one bearing the requested certname)?  "puppet cert list --all"
should tell
> you.
>
There are no other certificates for this new system.  I checked recursively 
in the ssl directory, just to be sure.
 
> If so, then there are two possibilities:
> (1) the master signed the current client''s current certificate,
but is
> refusing to serve up the signed certificate.  This seems unlikely to me, 
> but it cannot be altogether discounted.
>
Not the case.
 
> (2) the signed certificate does not correspond to the certificate-signing 
> request currently being presented by the agent (maybe it is an old cert 
> signed for a different machine with the same name), so the master refuses 
> to provide it to the agent.
>
> If (2) applies, then you should revoke then remove the old cert via 
> "puppet cert", then try again to connect the agent.
>
 
>
> Alternatively, is there any chance you have multiple copies of the master 
> installed?  (Maybe one via RPM and a separate one via gem?)  If
that''s the
> case, then perhaps the master the agent is talking to is different from the
> one that comes first in your shell''s executable path.  That could
wreak all
> sorts of havoc, including misleading you about the relevant certs and CSRs.
>
There is only one master running, one agent:

 1149 ?        S      1:19 Passenger RackApp: /etc/puppet/rack/puppetmasterd
 6946 ?        Ss     0:03 /usr/local/bin/ruby /usr/local/bin/puppet agent

What strikes me as odd is this is a fresh system that was installed; 
there''s nothing particularly special about it, other than it''s
CentOS 6.x
versus CentOS 5.x which are most of the others.   It seems one other person 
posted here who is experiencing similar problems.

What I''m willing to do, as a test case, is configure to new VMs and try
a
proof-of-bug-or-concept with this.  The setup will be simple, one master 
and one agent; the cert request should be accepted and then manually 
signed.    Though, I think my present configuration is simple enough.


Thanks.
 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I''m seeing this error in the logs:

Jul 17 16:37:17 server puppet-agent[17835]: (/File[/var/lib/puppet/lib]) 
Could not evaluate: Could not retrieve information from environment 
production source(s) puppet:/server.ourdomain.com/plugins

But I don''t believe this is connected to the aforementioned problem.  
This
was a 2.x system upgraded to 3.x.   We went through the painful allow vs 
allow_ip issue, and everything seems to be working.  I did a diff of the 
GIT puppet repository conf/auth.conf and ours is identical.   The only 
difference we have presently (until I rewrite a bunch of stuff) is in 
fileserver.conf:

[files]
path    /etc/puppet/files
# allow *
allow_ip        10.101.0.0/24
allow_ip        10.103.0.0/24

We have a bunch of stuff we replicate from that location; again, it seems 
to be working fine for the older clients.

I also verified that the output of "puppet master
--configprint=certname"
indeed matches the "servername" variable in our puppet.conf file(s).

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, July 17, 2013 2:33:22 PM UTC-5, Forrie
wrote:
>
>
>
> [ ... ]
>> Well, that at least narrows it down.  The master is not recognizing the
>> client''s certificate-signing request, or is refusing to
service it.  Does
>> the master already have a signed certificate for this client (or at
least
>> one bearing the requested certname)?  "puppet cert list
--all" should tell
>> you.
>>
>
> There are no other certificates for this new system.  I checked 
> recursively in the ssl directory, just to be sure.
>  
>
>> If so, then there are two possibilities:
>> (1) the master signed the current client''s current
certificate, but is
>> refusing to serve up the signed certificate.  This seems unlikely to
me,
>> but it cannot be altogether discounted.
>>
>
> Not the case.
>  
>
>> (2) the signed certificate does not correspond to the
certificate-signing
>> request currently being presented by the agent (maybe it is an old cert
>> signed for a different machine with the same name), so the master
refuses
>> to provide it to the agent.
>>
>> If (2) applies, then you should revoke then remove the old cert via 
>> "puppet cert", then try again to connect the agent.
>>
>  
>
>>
>> Alternatively, is there any chance you have multiple copies of the
master
>> installed?  (Maybe one via RPM and a separate one via gem?)  If
that''s the
>> case, then perhaps the master the agent is talking to is different from
the
>> one that comes first in your shell''s executable path.  That
could wreak all
>> sorts of havoc, including misleading you about the relevant certs and
CSRs.
>>
>
> There is only one master running, one agent:
>
>  1149 ?        S      1:19 Passenger RackApp: 
> /etc/puppet/rack/puppetmasterd
>  6946 ?        Ss     0:03 /usr/local/bin/ruby /usr/local/bin/puppet agent
>

Were I you, I would shut down the puppet agent on the master''s system,
and
test only with a separate client until you get things sorted out.

 
>
> What strikes me as odd is this is a fresh system that was installed; 
> there''s nothing particularly special about it, other than
it''s CentOS 6.x
> versus CentOS 5.x which are most of the others.   It seems one other person
> posted here who is experiencing similar problems.
>

I still say the problem is more likely with the master than with the 
agent.  My working hypothesis is that when you upgraded the master to v3.2 
you broke its certificate-signing functionality.  Supposing that the 
master''s CA certificate was carried over during the upgrade, clients
that
already have certificates don''t need new certs, so they continue to
work.
(And if the CA cert had not been carried over then all existing clients 
would have needed new certs.)  New clients do need signed certs before they 
can retrieve catalogs, however, so the clients you are trying to deploy now 
do not work.  By this logic, no new client deployment will work against 
this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or even 
Puppet3/Cent5.  It is therefore irrelevant how similar your new client 
systems are to the ones already in operation.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

> I still say the problem is more likely with the master than with the 
> agent.  My working hypothesis is that when you upgraded the master to v3.2 
> you broke its certificate-signing functionality.  Supposing that the 
> master''s CA certificate was carried over during the upgrade,
clients that
> already have certificates don''t need new certs, so they continue
to work.
> (And if the CA cert had not been carried over then all existing clients 
> would have needed new certs.)  New clients do need signed certs before they
> can retrieve catalogs, however, so the clients you are trying to deploy now
> do not work.  By this logic, no new client deployment will work against 
> this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or even 
> Puppet3/Cent5.  It is therefore irrelevant how similar your new client 
> systems are to the ones already in operation.
>
Curious, how could I break the CA certificate-signing functionality by 
upgrading?  Wouldn''t that be a bug in the upgrade process?

I can install a fresh version of Puppet and see if that works - but, I have 
too many nodes and thus I need to retain the current certificates that are 
signed.
 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, July 17, 2013 12:25:18 PM UTC-5, Yaniv Kaul
wrote:
>
>
> How do I verify if multiple copies are installed?
>

I would suggest using the ''find'' command on the master to look
for files
and directories named ''puppet''.  Make sure all the results
belong to the
same Puppet install.  In your case you might pass their full names to "rpm 
-q -f" to verify that they all come from one or another of your installed 
RPMs.  I don''t know whether Forrie installed from RPM; if not, then
that
part of it will need to be different for him.

 
> I''m using Foreman to manage the puppet master on the same host,
but I
> don''t think it has caused any issues. I don''t think #1
above is what
> happened to me - I''ve tried with a completely new client.
> I must emphasize that apart from the CA''s certificate,
I''m not seeing
> anything under ''puppet cert --list --all''.
> Is there any debug flag I can enable to provide debug output on the master 
> for the signing process?
>
>
If you are running the master as a standalone daemon (i.e. using its 
built-in "webrick" server) then you should be able to start it as

puppet master --debug

to enable debug logging.  If you are running the master under Passenger, 
then you may be able to turn on debug logging by modifying your config.ru 
file to pass the --debug option to the master.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, July 17, 2013 4:24:13 PM UTC-5, Forrie
wrote:
>
>
> I still say the problem is more likely with the master than with the 
>> agent.  My working hypothesis is that when you upgraded the master to
v3.2
>> you broke its certificate-signing functionality.  Supposing that the 
>> master''s CA certificate was carried over during the upgrade,
clients that
>> already have certificates don''t need new certs, so they
continue to work.
>> (And if the CA cert had not been carried over then all existing clients
>> would have needed new certs.)  New clients do need signed certs before
they
>> can retrieve catalogs, however, so the clients you are trying to deploy
now
>> do not work.  By this logic, no new client deployment will work against
>> this master, whether it''s Puppet3/Cent6, Puppet2/Cent5, or
even
>> Puppet3/Cent5.  It is therefore irrelevant how similar your new client 
>> systems are to the ones already in operation.
>>
>
> Curious, how could I break the CA certificate-signing functionality by 
> upgrading?  Wouldn''t that be a bug in the upgrade process?
>

In principle, the upgrade could break certificate signing any number of 
ways.  Whether such an event would constitute a bug depends in part on 
whether yours was a supported upgrade path, but in any event, you cannot 
discount bugs.

You haven''t said how your Puppet master was installed originally or how
it
was upgraded.  You did originally say that your agents were installed as 
gems, and a recent message added the information that one of those agents 
is on the same system as the master, so I suppose that the master is 
provided as part of the same gem.

But wait.  You said that the problematic agents were on new-built systems.  
Have you then transferred the master to a new / rebuilt host as part of 
this process?  (What could possibly go wrong?)

Alternatively, I didn''t notice you responding to the possibility that
you
have two separate Puppet installs.  Did you check?


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I do not have separate Puppet installs.  At the moment, it''s been
installed
via the Gem, so the master and agent are coming from the same code, running 
on the original host (it was not rebuilt).   It is running under 
Passenger/Apache, presently.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Thursday, July 18, 2013 12:32:22 AM UTC+3, jcbollinger wrote:
>
>
> On Wednesday, July 17, 2013 12:25:18 PM UTC-5, Yaniv Kaul wrote:
>>
>>
>> How do I verify if multiple copies are installed?
>>
>
>
> I would suggest using the ''find'' command on the master to
look for files
> and directories named ''puppet''.  Make sure all the
results belong to the
> same Puppet install.  In your case you might pass their full names to
"rpm
> -q -f" to verify that they all come from one or another of your
installed
> RPMs.  I don''t know whether Forrie installed from RPM; if not,
then that
> part of it will need to be different for him.
>
>  
>
>> I''m using Foreman to manage the puppet master on the same
host, but I
>> don''t think it has caused any issues. I don''t think
#1 above is what
>> happened to me - I''ve tried with a completely new client.
>> I must emphasize that apart from the CA''s certificate,
I''m not seeing
>> anything under ''puppet cert --list --all''.
>> Is there any debug flag I can enable to provide debug output on the 
>> master for the signing process?
>>
>>
> If you are running the master as a standalone daemon (i.e. using its 
> built-in "webrick" server) then you should be able to start it as
>
> puppet master --debug
>
> to enable debug logging.  If you are running the master under Passenger, 
> then you may be able to turn on debug logging by modifying your
config.rufile to pass the --debug option to the master.
>
>
> John
>
>
I''ve added debug to my config.ru and suddenly everything works -
clients
happily register. 
I''m not sure if I should be happy or sad, keep the debug or remove
it...
Y. 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

On Wednesday, July 17, 2013 5:31:47 PM UTC-5, Forrie
wrote:
>
> I do not have separate Puppet installs.  At the moment, it''s been 
> installed via the Gem, so the master and agent are coming from the same 
> code, running on the original host (it was not rebuilt).   It is running 
> under Passenger/Apache, presently.
>
>
Then I''m sorry, I can''t follow this.  The description of the
problem is
either too inconsistent or too fragmented.

Fresh installs of Puppet are not known to exhibit the problem you describe, 
so the issue must have arisen through the upgrade.  Since you''re using
gem,
perhaps you have a compatibility problem among the set of gems currently 
installed.  Or back to basics: you DID restart apache/passenger after 
upgrading the master, right?

If I am to have any hope of being able to do anything further for you, 
however, then I need a detailed timeline of what was done to Puppet on your 
site, starting from "everything is running great on Puppet 2.7 / CentOS
5"
(or whatever), including which systems were (re)built, what OS and Puppet 
versions were used, and what problems were observed on which systems.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I upgraded our Puppet master to 3.x a while ago, after the file access 
issues (allow_ip, etc.) were fixed.    I didn''t actually test
connection of
a new client until this past week - where the others are running 2.x agent 
code and working.

Here are the gems I have presently:

builder (3.2.2)
daemon_controller (1.1.4)
facter (1.7.2)
fastthread (1.0.7)
fcgi (0.9.1)
ffi (1.9.0)
hiera (1.2.1)
json (1.8.0)
json_pure (1.8.0)
libvirt-ruby (1.0.2)
passenger (4.0.8)
puppet (3.2.3)
puppet-lint (0.3.2)
puppet-module (0.3.4)
rack (1.5.2)
rack-protection (1.5.0)
rake (10.1.0)
rgen (0.6.5)
rubygems-update (2.0.5)
sinatra (1.4.3)
sqlite3 (1.3.7)
sqlite3-ruby (1.3.3)
stomp (1.2.10)
tilt (1.4.1)
tzinfo (1.0.1)
zonefile (1.04)

Now, I could re-install the Puppet 3.x code and see if that resolves the 
problem.   I need to be very careful, as I have many 2.x agents that still 
require the Puppet master running -- so, if I uninstall the gem, then check 
to see if the directory and /usr/local/bin copies are removed, reinstall 
and re-run the master and see what happens.

I presume /var/lib/puppet doesn''t need to be touched in this case, as
it''s
local data.

Yes, of course the master that''s running Puppet under Passenger (4.0.8)
has
been restarted multiple times, in the effort to continue debugging this.   
Though, I note the post above that mentions adding debug to config.ru - 
which I''m puzzled by.     I suppose I could back-out the Passenger
process
altogether and run a standard Puppet master and see if the problem 
persists, also.

Thanks!

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Actually, with the improvements to Puppet 3.x, I wonder if it''s really 
necessary to run Puppet under Passenger anymore... we have less than 100 
hosts, but that could change.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I did some poking around and I think I found a better hint as to what may 
be the issue (feel free to confirm).

in /etc/puppet/auth.conf, I had:

# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *

But the installation has "certificate_requests" (corrected).

Next, I see the actual requests are being cached in:

/var/lib/puppet/ssl/ca/requests

which I believe is wrong for 3.x... ?   There is one outstanding request in 
there from another machine I accessed a while ago.

For sake of clarity, here is the complete content of my auth.conf file, 
which until recently hasn''t been changed since the initial
installation:


path ~ ^/catalog/([^/]+)$
method find
allow $1

path ~ ^/node/([^/]+)$
method find
allow $1

path /certificate_revocation_list/ca
method find
allow *

path ~ ^/report/([^/]+)$
method save
allow $1

path /file
allow *


path /certificate/ca
auth any
method find
allow *

path /certificate/
auth any
method find
allow *

path /certificate_requests
auth any
method find, save
allow *

path /
auth any


The auth.conf on the client:

path /run
auth any
method save
allow our.serverdomain.com

path /
auth any

I''m going to keep looking, but I wonder if I''m close to
figuring this
out......


Thanks.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Output from puppet config print for SSL configs:

cacert = /var/lib/puppet/ssl/ca/ca_crt.pem
cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem
cadir = /var/lib/puppet/ssl/ca
cakey = /var/lib/puppet/ssl/ca/ca_key.pem
capass = /var/lib/puppet/ssl/ca/private/ca.pass
caprivatedir = /var/lib/puppet/ssl/ca/private
capub = /var/lib/puppet/ssl/ca/ca_pub.pem
cert_inventory = /var/lib/puppet/ssl/ca/inventory.txt
certdir = /var/lib/puppet/ssl/certs
csrdir = /var/lib/puppet/ssl/ca/requests
hostcert = /var/lib/puppet/ssl/certs/central.de-prod.harvard.edu.pem
hostcrl = /var/lib/puppet/ssl/crl.pem
hostcsr = /var/lib/puppet/ssl/csr_central.de-prod.harvard.edu.pem
hostprivkey = 
/var/lib/puppet/ssl/private_keys/central.de-prod.harvard.edu.pem
hostpubkey = /var/lib/puppet/ssl/public_keys/central.de-prod.harvard.edu.pem
ldapssl = false
localcacert = /var/lib/puppet/ssl/certs/ca.pem
passfile = /var/lib/puppet/ssl/private/password
privatedir = /var/lib/puppet/ssl/private
privatekeydir = /var/lib/puppet/ssl/private_keys
publickeydir = /var/lib/puppet/ssl/public_keys
requestdir = /var/lib/puppet/ssl/certificate_requests
serial = /var/lib/puppet/ssl/ca/serial
signeddir = /var/lib/puppet/ssl/ca/signed
ssl_client_ca_auth ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_server_ca_auth ssldir = /var/lib/puppet/ssl


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Output of puppet config print for SSL :

cacert = /var/lib/puppet/ssl/ca/ca_crt.pem
cacrl = /var/lib/puppet/ssl/ca/ca_crl.pem
cadir = /var/lib/puppet/ssl/ca
cakey = /var/lib/puppet/ssl/ca/ca_key.pem
capass = /var/lib/puppet/ssl/ca/private/ca.pass
caprivatedir = /var/lib/puppet/ssl/ca/private
capub = /var/lib/puppet/ssl/ca/ca_pub.pem
cert_inventory = /var/lib/puppet/ssl/ca/inventory.txt
certdir = /var/lib/puppet/ssl/certs
csrdir = /var/lib/puppet/ssl/ca/requests
hostcert = /var/lib/puppet/ssl/certs/ourserver.domain.com.pem
hostcrl = /var/lib/puppet/ssl/crl.pem
hostcsr = /var/lib/puppet/ssl/csr_ourserver.domain.com.pem
hostprivkey = /var/lib/puppet/ssl/private_keys/ourserver.domain.com.pem
hostpubkey = /var/lib/puppet/ssl/public_keys/ourserver.domain.com.pem
ldapssl = false
localcacert = /var/lib/puppet/ssl/certs/ca.pem
passfile = /var/lib/puppet/ssl/private/password
privatedir = /var/lib/puppet/ssl/private
privatekeydir = /var/lib/puppet/ssl/private_keys
publickeydir = /var/lib/puppet/ssl/public_keys
requestdir = /var/lib/puppet/ssl/certificate_requests
serial = /var/lib/puppet/ssl/ca/serial
signeddir = /var/lib/puppet/ssl/ca/signed
ssl_client_ca_auth ssl_client_header = HTTP_X_CLIENT_DN
ssl_client_verify_header = HTTP_X_CLIENT_VERIFY
ssl_server_ca_auth ssldir = /var/lib/puppet/ssl

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I suppose I could just "start all over" and run through the systems
and
have them signed.  The configurations I have there will still work for the 
manifests (which I''ve not converted to proper modules yet).   This is 
probably an option.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I spent the afternoon re-doing my puppet master, tested it with just 2 new 
clients and I got the same exact problem.   I restored my old 
/var/lib/puppet so that other agents can work.

This is either a bug in Puppet itself or a bizarre configuration issue.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Not exactly sure if you tried this but I would added --debug to your
config.ru and then tail the logs on the puppetmaster.  Clear out of
client SSL dir on the agent to start from scratch and make sure the
master does not have any leftover files from your client.

config.ru with debug:

$0 = "master"
ARGV << "--rack"
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"
ARGV << "--debug"
require ''puppet/util/command_line''
run Puppet::Util::CommandLine.new.execute


These logs are from a good client certificate signing:

puppet-master[6853]: Handling request: GET
/server/certificate_request/mypuppetclient.example.com
puppet-master[6853]: Could not find certificate_request for
''mypuppetclient.example.com''
puppet-master[8243]: Handling request: PUT
/server/certificate_request/mypuppetclient.example.com
puppet-master[8243]: mypuppetclient.example.com has a waiting
certificate request
puppet-master[8243]: Signed certificate request for mypuppetclient.example.com
puppet-master[8243]: Removing file Puppet::SSL::CertificateRequest
mypuppetclient.example.com at
''/var/lib/puppet/ssl/ca/requests/mypuppetclient.example.com.pem''
puppet-master[8243]: Handling request: GET
/server/certificate/mypuppetclient.example.com

HTH
-Cory

On Fri, Jul 19, 2013 at 4:50 PM, Forrie <forrie@gmail.com>
wrote:
> I spent the afternoon re-doing my puppet master, tested it with just 2 new
> clients and I got the same exact problem.   I restored my old
> /var/lib/puppet so that other agents can work.
>
> This is either a bug in Puppet itself or a bizarre configuration issue.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Adding --debug to the config.ru didn''t provide any real info -- not
sure
why, but the client continued to connect and I see this in the log:

10.101.0.10 - - [22/Jul/2013:15:11:15 -0400] "GET 
/production/certificate/machine.ourdomain.com? HTTP/1.1" 404 62
"-" "-"

and nothing is returned.

I''m wondering if there is a permissions problem.  I can''t
imagine, as I''ve
never touched it.

If I remove all the client SSL certs (backing them up), I presume I would 
really need to start over again -- that would require going to each client 
and removing the /var/lib/puppet directory and going through the setup 
process again.  

I''m willing to do that, at this point, since I''m not really
getting
anywhere figuring out what the problem is here.  I just want to make sure I 
do this properly.


Thanks.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I''d also disable or move to permissive selinux.
Y.

On Monday, July 22, 2013 10:19:35 PM UTC+3, Forrie
wrote:
>
> Adding --debug to the config.ru didn''t provide any real info --
not sure
> why, but the client continued to connect and I see this in the log:
>
> 10.101.0.10 - - [22/Jul/2013:15:11:15 -0400] "GET
/production/certificate/
> machine.ourdomain.com? HTTP/1.1" 404 62 "-" "-"
>
> and nothing is returned.
>
> I''m wondering if there is a permissions problem.  I can''t
imagine, as I''ve
> never touched it.
>
> If I remove all the client SSL certs (backing them up), I presume I would 
> really need to start over again -- that would require going to each client 
> and removing the /var/lib/puppet directory and going through the setup 
> process again.  
>
> I''m willing to do that, at this point, since I''m not
really getting
> anywhere figuring out what the problem is here.  I just want to make sure I
> do this properly.
>
>
> Thanks.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I don''t have selinux enabled on this system.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

When I try to connect a new client to this problematic Puppet Master, 
here''s what I see in the log:

10.103.0.3 - - [23/Jul/2013:15:15:27 -0400] "GET 
/production/certificate/ca? HTTP/1.1" 200 1915 "-" "-"
10.103.0.3 - - [23/Jul/2013:15:15:27 -0400] "GET 
/production/certificate/new-server.domain.com? HTTP/1.1" 404 59
"-" "-"

But in auth.conf, it appears to be correct:

path /certificate/ca
auth any
method find
allow *

HTTP 404 = not found

so, somewhere in this process, the Master is refusing to generate certs. 
 I''ve checked the directories and permissions and I cannot see a
problem
there.   Likewise, my auth.conf is permissive.  

It looks like I''m just going to have to start all over again - going 
through each client manually -- I don''t look forward to this at all.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

When having problems like this it is often a good idea to shut down the
Apache web server and run:

  # puppet master --debug

from a console instead. If that works then your Puppet setup is okay and
you should look at your web server and passenger config.

  - Keith
 On 18 Jul 2013 20:21, "Forrie" <forrie@gmail.com> wrote:
> Actually, with the improvements to Puppet 3.x, I wonder if it''s
really
> necessary to run Puppet under Passenger anymore... we have less than 100
> hosts, but that could change.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

The only response to puppet master --debug in the log is :

Info: Could not find certificate for ''ourmachine.domain.com''

And there is no reference to this system in the master''s content under 
/var/lib/puppet.  So it would seem that whatever mechanism that accepts CA 
requests and creation is borked... ? 

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Now this is really strange.  I removed /var/lib/puppet on the client side 
and manually did a puppet agent test while doing a "command line"
puppet
test on the master and I got:

Info: Could not find certificate for ''ourserver.ourdomain.com''
Info: Could not find certificate_request for
''ourserver.ourdomain.com''
Notice: ourserver.ourdomain.com has a waiting certificate request
Notice: Signed certificate request for ourserver.ourdomain.com
Notice: Removing file Puppet::SSL::CertificateRequest 
ourserver.ourdomain.com at 
''/var/lib/puppet/ssl/ca/requests/ourserver.domain.com.pem''
Info: Caching node for ourserver.ourdomain.com

Now I am suspicious that there is a problem with "rack".   My
config.ru is
based on what is in the latest puppet docs:

$0 = "master"

# ARGV << "--debug"
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"
ARGV << "--rack"

require ''puppet/application/master''
run Puppet::Application[:master].run

And I have no idea if/how/why this would affect Certs.   Still going to 
have to look into this.  OR, I can just ditch Passenger and go back to 
running Puppet by itself.   We have 40 hosts, so I don''t think
I''ll miss
Passenger, or having to update the *.conf every time there''s an update.

Thoughts?


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

When I updated the config.ru to what''s in GIT for puppet, I get a slew
of
crap errors that lists the library content for puppet.  Here''s what is
in
GIT now:

# a config.ru, for use with every rack-compatible webserver.
# SSL needs to be handled outside this, though.

# if puppet is not in your RUBYLIB:
# $LOAD_PATH.unshift(''/opt/puppet/lib'')

$0 = "master"

# if you want debugging:
# ARGV << "--debug"

ARGV << "--rack"

# Rack applications typically don''t start as root.  Set --confdir and 
--vardir
# to prevent reading configuration from ~puppet/.puppet/puppet.conf and 
writing
# to ~puppet/.puppet
ARGV << "--confdir" << "/etc/puppet"
ARGV << "--vardir"  << "/var/lib/puppet"

# NOTE: it''s unfortunate that we have to use the
"CommandLine" class
#  here to launch the app, but it contains some initialization logic
#  (such as triggering the parsing of the config file) that is very
#  important.  We should do something less nasty here when we''ve
#  gotten our API and settings initialization logic cleaned up.
#
# Also note that the "$0 = master" line up near the top here is
#  the magic that allows the CommandLine class to know that it''s
#  supposed to be running master.
#
# --cprice 2012-05-22

require ''puppet/util/command_line''
# we''re usually running inside a Rack::Builder.new {} block,
# therefore we need to call run *here*.
run Puppet::Util::CommandLine.new.execute



I think I''m done with Passenger, as it''s been nothing but a
headache since
I started using it.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Having read through more threads, I ran across an article that pointed out 
the permissions and ownership of config.ru needed to be owned by 
puppet:puppet.   I changed this and now everything is working.

I''m royally annoyed, because nowhere in these logs (either via Puppet
or
Passenger) was this logged.   Seems like a real no-brainer.

Bug report.


-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.