Roger Sherman
2014-Nov-18 04:26 UTC
[Puppet Users] SSL issues arising from cloning environment
I'm in the process of setting up a staging environment for the company I work for. To do this, we've cloned our production environment (vmware), changed the hostnames of the nodes, re-IP'd the nodes, and since that point, I've been trying to get the environment to the point where I can do puppet runs. This is proving difficult, because of a couple SSL issues that have arisen. We are using Puppet 2.7 on Debian 6 (one of the plans for the staging environment in the first quarter of next year is going to be testing a lot of upgrades). Right now, I'm just focusing on two nodes - the puppet master and a client node, simply trying to get a successful run done on the client node. For that matter, a successful --noop run. What happens now is the following: # puppet agent -tv --noop err: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol Exiting; failed to retrieve certificate and waitforcert is disabled I can ping the puppet master successfully, there is no issue with node to node connectivity. Some googling suggested that time sync could be an issue, and initially it was, but they're synced up now, to no effect. I've of course blown out the certs on the client, since there was a hostname change. I actually just tried doing a --noop run on the puppet master itself, just to see what would happen. I didn't expect it to be successful...due to the way it's set up (long story short, I inherited this system, and would not have set it up this way), I've never been able to do a successful puppet run on it. This time, though, not only wasn't successful, but I'm getting similar SSL errors: ... err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol ... err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol ... err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol ... err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol with a bunch of ruby noise in between each error. I have blown out all the certs on the puppet master, and regenerated, as detailed in step 1: https://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html For a brief, shining moment, I thought that was going to do the job, but then it didn't generate a couple certs that apache needed to restart, and when I tried to generate them manually, puppet failed to sign them. Any thoughts on where to begin? I'll be happy to provide any more information deemed necessary. I'm at the point where I'm just going to start making changes to nodes in the environment manually...honestly, I'm hoping I don't have to do that, so very much hoping someone here can help me through this. Thanks very much in advance, Rog -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/17d2a513-2d44-4996-9ed1-d4b54d81241f%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.