search for: certificate_revocation_list

Puppet version: 2.7.14 Puppet master behind apache with mod_proxy load balancer. I am able to authenticate with the cert as per these headers: Accept: s X-SSL-Subject: /CN=puppetagent1.example.com X-Client-DN: /CN=puppetagent1.example.com X-Client-Verify: SUCCESS Any idea what this error means ? I share my ssl dir on the load balancer and the puppet master. -- You received this message

...oxy_temp_file_write_size 64k; proxy_read_timeout 65; location ^~ /production/certificate/ca { proxy_pass https://puppetca; } location ^~ /production/certificate { proxy_pass https://puppetca; } location ^~ /production/certificate_revocation_list/ca { proxy_pass https://puppetca; } location ^~ / { proxy_pass http://puppetmasters; } } --- nginx.conf of Primary CA --------- user nginx; worker_processes 10; worker_rlimit_nofile 100000; error_log logs/error.log info; pid...

...56340 debug: Using cached certificate for ca debug: Using cached certificate for ubuntu05.wic.west.com debug: Finishing transaction 70059798542500 debug: Loaded state in 0.00 seconds debug: Using cached certificate for ca debug: Using cached certificate for ubuntu05.wic.west.com debug: Using cached certificate_revocation_list for ca debug: catalog supports formats: b64_zlib_yaml dot marshal pson raw yaml; using pson [snip] debug: Storing state debug: Stored state in 0.01 seconds notice: Finished catalog run in 0.16 seconds Changes: Events: Noop: 2 Total: 2 Resources: Total: 12...

...17:47 <puppetmaster> puppet-master[22132]: (access[^/node/([^/]+)$]) allowing ''method'' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[^/node/([^/]+)$]) allowing $1 access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_revocation_list/ca]) allowing ''method'' find Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/certificate_revocation_list/ca]) allowing * access Jul 22 17:17:47 <puppetmaster> puppet-master[22132]: (access[/report]) allowing ''method'' save...

...lramisr195602 ~]$ sudo puppet agent --no-daemonize --verbose --server bangvmpllda02.XXXXXX.com Starting Puppet client version 3.0.1 Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 403 on SERVER: Forbidden request: 10.209.47.31(10.209.47.31) access to /certificate_revocation_list/ca [find] at :106 Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate: Error 403 on SERVER: Forbidden request: 10.209.47.31(10.209.47.31) access to /file_metadata/plugins [search] at :106 Error: /File[/var/lib/puppet/lib...

...command : #puppetd --server puppet.domain.tld --waitforcert 60 --test on the server : #puppetca --sign client.domain.tld When the client finish to execute the first command I have the following output : ***** info: Caching certificate for host.domain.tld info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: Could not retrieve information from source(s) puppet://puppet.domain.tld/plugins info: Caching catalog for host.domain.tld info: Applying configuration version ''1299765672'' info: Creating state f...

...R: Permission denied - /etc/puppet/auth.conf My auth.conf looks like this, which I believe is how it is out of the box. # allow nodes to retrieve their own catalog (ie their configuration) path ~ ^/catalog/([^/]+)$ method find allow $1 # allow all nodes to access the certificates services path /certificate_revocation_list/ca method find allow * # allow all nodes to store their reports path /report method save allow * # inconditionnally allow access to all files services # which means in practice that fileserver.conf will # still be used path /file allow * ### Unauthenticated ACL, for clients for which the current...

...quot;1.2.3.4.5.6.7" and "1.2.3.4.5.6.8" are used for uid and gid. I tried it with custom CA trusted by all bricks and I issued a few client certificates. No server configuration is needed when a new client is added, when a client is revoked the a CRL <https://en.wikipedia.org/wiki/Certificate_revocation_list> must updated and pushed to all servers. By the way I didn't get glusterfs servers to accept my CRLs, do some people use it? Notes: * groups are not handled right now and since users may change groups regularly I don't think it would be a great idea to freeze them in a certificate. The...

...: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using ''eval_generate'': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet://rhel-vm-test-6a.ucc.vcu....

...r/lib/puppet/ssl/ca/requests/puppet-client.test.com.pem'' [root@puppet-server manifests]# Well going. 5.[root@puppet-client ssl]# puppet agent --test --verbose --server puppet-server.test.com info: Caching certificate for puppet-client.test.com info: Caching certificate_revocation_list for ca err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppet-server.test.com] warning: Not using cache on failed catalog err: Could not retrieve catalog;...

...ails with below error. Only difference is architecture. One more note both the agent nodes were accepted from Dashboard,so master has both the certificates. Any help will be greatly appreciated. puppet-enterprise-3.1.0-el-6-i386]# puppet agent --test Info: Caching certificate for Info: Caching certificate_revocation_list for ca Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=hostname Info: Retrieving plugin Error: /File[/var/opt/lib/pe-puppet/li...

Hey folks, I am using puppet for some OpenStack deployments and on a new node things look pretty good right until after the successful reception of a cert from the puppet master. I get this error: err: Could not retrieve catalog from remote server: Error 400 on SERVER: $concat_basedir not defined. Try running again with pluginsync enabled at

...e and --debug I get error stack trace as fallow: Debug: Finishing transaction -615376128 Debug: Loaded state in 0.00 seconds Debug: node supports formats: b64_zlib_yaml pson raw yaml; using pson Debug: Using cached certificate for ca Debug: Using cached certificate for radkam Debug: Using cached certificate_revocation_list for ca Info: Retrieving plugin Debug: file_metadata supports formats: b64_zlib_yaml pson raw yaml; using pson Debug: Finishing transaction -615481918 The interpreter parameter to ''setcode'' is deprecated and will be removed in a future version. *Error: Could not retrieve local fa...

...;1.2.3.4.5.6.8" are used > for uid and gid. > I tried it with custom CA trusted by all bricks and I issued a few > client certificates. > No server configuration is needed when a new client is added, when a > client is revoked the a CRL > <https://en.wikipedia.org/wiki/Certificate_revocation_list> must updated > and pushed to all servers. > By the way I didn't get glusterfs servers to accept my CRLs, do some > people use it? > > Notes: > * groups are not handled right now and since users may change groups > regularly I don't think it would be a great id...

...acility = local4 > report = true > listen = true I ran puppet master in verbose mode and got these diagnostics: Starting Puppet master version 3.0.0 Info: access[^/catalog/([^/]+)$]: allowing ''method'' find Info: access[^/catalog/([^/]+)$]: allowing $1 access Info: access[/certificate_revocation_list/ca]: allowing ''method'' find Info: access[/certificate_revocation_list/ca]: allowing * access Info: access[/report]: allowing ''method'' save Info: access[/report]: allowing * access Info: access[/file]: allowing * access Info: access[/certificate/ca]: adding authen...

Hi, On my puppet node, there are many facter variables that are empty in my manifests. But, there are not empty when I start "facter" on the node. why ? ex in a module: class resolver { if $::ipaddress6 { ... } $domainename = "$domain" } In this manifest, $domain and $ipaddress6 are empty In the facter command line, there not empty. -- You received this

...ing transaction 23577981555200 debug: Loaded state in 0.00 seconds warning: Fact syncing is deprecated as of 0.25 -- use ''pluginsync'' instead info: Retrieving fact debug: Using cached certificate for ca debug: Using cached certificate for puppet-client.ig.local debug: Using cached certificate_revocation_list for ca debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw yaml; using pson debug: file_metadata supports f...

For some reason I am unable to run "dry runs" of the puppet client on my puppetmaster server. Running puppetd with the --test, --noop and verbose / debug flags results in nothing for about a minute or two then this output... $ time puppetd --test --noop -v err: Could not retrieve catalog from remote server: execution expired warning: Not using cache on failed catalog err: Could not

...27:05] client.domain.name - - [01/Jul/2010:13:27:05 PDT] "GET /production/certificate/client.domain.name HTTP/1.1" 200 847 [2010-07-01 13:27:05] - -> /production/certificate/client.domain.name [2010-07-01 13:27:05] client.domain.name - - [01/Jul/2010:13:27:05 PDT] "GET /production/certificate_revocation_list/ca HTTP/1.1" 200 508 [2010-07-01 13:27:05] - -> /production/certificate_revocation_list/ca [2010-07-01 13:27:05] ERROR OpenSSL::SSL::SSLError: sslv3 alert bad certificate /usr/lib/ruby/site_ruby/1.8/puppet/network/http/webrick.rb:44:in `accept'' /usr/lib/ruby/site_ruby/1.8/puppet/ne...

...g: Using cached certificate for client, good until Sat Jun 06 07:57:22 UTC 2015 debug: Loaded state in 0.00 seconds debug: Using cached certificate for ca, good until Sat Jun 06 06:20:50 UTC 2015 debug: Using cached certificate for client, good until Sat Jun 06 07:57:22 UTC 2015 debug: Using cached certificate_revocation_list for ca, good until debug: catalog supports formats: b64_zlib_yaml marshal pson raw yaml; using pson err: Could not retrieve catalog from remote server: Error 403 on SERVER: Forbidden request: client access to /catalog/client [find] at line 0 warning: Not using cache on failed catalog err: Could not...