Hi,
Thanks for you quick reply.
Try puppetd --test --waitforcert 15
>
I actually tried --waitforcert 480000 ! But it still hang and end up into a
certificate timeout : puppetd[2078]: Could not request certificate:
Connection refused - connect(2)
> I think it's complaining about waitforcert because you need that flag to
> retrieve the cert from the server.
>
> But it would have been nice to see the actual command you used to produce
> that error. :)
>
puppet is running as "regular" red hat service, so there is no "command"
(well there is but I just let the service runs). I have nothing fancy in my
[puppetd] configuration:
[puppetd]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion. Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt
# Where puppetd caches the local configuration. An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig
server = puppetmaster.domain
The number is the interval that the puppet client will pause between
> requests to the server for it's cert and is a required parameter.
>
Ah, ok , so maybe having a big number here ( --waitforcert 480000) is a bad
idea....
> At that point, back on the server you should see what facter considers to
> be the fqdn of the requesting machine when you issue
>
> puppetca --list
>
> Then sign
>
> puppetca --sign <http://host.domain.com>host.domain.com
>
> I'd recommend turning off autosign on the puppet master as it's a security
> risk.
>
For now I need autosign, because I'm creating instance "on the fly" - so I
don't want to "manually" accept each one. (but I'm aware of the security
risk of this setup).
>
>
>
> Hope that is helpful.
>
> Sent from my iPhone
>
> On Mar 11, 2011, at 8:04 AM, Romain Pelisse <bela...@gmail.com> wrote:
>
> Hi,
>
> I'm using puppet on EC2 to setup my VMs with the following configuration:
>
> # puppetd --version
> 0.25.5
> # uname -a
> Linux hostname.domain 2.6.16-xenU #1 SMP Mon May 28 03:41:49 SAST 2007 i686
> i686 i386 GNU/Linux
>
> But I keep facing some timeout from puppetd:
>
> warning: peer certificate won't be verified in this SSL session
> Exiting; failed to retrieve certificate and waitforcert is disabled
>
> Puppetmaster is running on autosign, and I can see in the puppetmaster logs
> that the puppets are actually able to connect and request a certificate:
>
> info: Could not find certificate for 'hostname.domain'
>
> But, nothing else seems to happens on puppetmaster side and the puppetd
> finally timeout.
>
> Did anybody runned into this situation ? Any idea on what could be
> triggering this ?
>
> --
> Romain PELISSE,
> *"The trouble with having an open mind, of course, is that people will
> insist on coming along and trying to put things in it" -- Terry Pratchett*
> <http://belaran.eu/wordpress/belaran>http://belaran.eu/wordpress/belaran
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
--
Romain PELISSE,
*"The trouble with having an open mind, of course, is that people will
insist on coming along and trying to put things in it" -- Terry Pratchett*
http://belaran.eu/wordpress/belaran
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
