On Tue, Feb 21, 2012 at 17:05, Russell Van Tassell <russel...@gmail.com>wrote:
> Just a couple of issues... > > On Tue, Feb 21, 2012 at 4:56 PM, Jon Davis <j...@snowulf.com> wrote: > >> I recently built, added to puppet and then nuked a server. Before I >> re-added the machine (after I rebuilt it, with the same name), I went to >> the puppet server and ran `puppet cert revoke dev-8.company.com` and >> `puppet cert clean dev-8.company.com`. Now when puppet runs on ANY >> server in my environment, they get the following error: >> >> info: Caching certificate for dev-8.company.com >> *err: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >> verify failed. This is often because the time is out of sync on the server >> or client* >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> *err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 >> read server certificate B: certificate verify failed. This is often >> because the time is out of sync on the server or client* >> >> >> Now I know for a fact that it isn't a time issue because the puppet >> server is on NTP as are the clients. The new machine is also within 1-2 >> seconds of server time. >> > > For "normal" NTP clients, this would imply that your time sync is off by a > few factors (ie. your time differences should be mere fractions of seconds > off between servers if your NTP setup is working correctly). > > There isn't any time issue, just my typing `date` one one machine to the other. Everyone is running NTP it's fine. > All of the clients are configured to run (via Cron) `/usr/sbin/puppetd >> --onetime --no-daemonize --logdest syslog --server puppet.company.com`. >> The server is named puppet-1.company.com but puppet. is a valid cname. >> I've tried rebooting the puppet server, I've tried upgrading it, just >> about anything I can think of. >> > > If the reverse (IN-ADDR) of your puppet server is going to return > puppet.company.com as its name, but you are connecting to foo.company.com, > that's pretty much a textbook SSL error (ie. your SSL certificate doesn't > match the name it's claiming to be). What happens if you delete the SSL > cert on the client, and re-run the CSR by pointing at the real name of the > server? > > Well unfortunately this worked until a few hours ago and I haven't changed anything in the DNS. There is actually no IN-ADDR record for this server. When I generated the SSL cert for puppet, I told it to use puppet.company.com (IE in puppet.conf it says certname=puppet.company.com ) I've deleted certs and re-run puppet on the client about a dozen times now. I've also made sure to revoke/clean on the server between each try. > Hope that helps... > > Russell > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.