Re: [Puppet Users] Re: Thu Nov 29 10:17:51 +0000 2012 Puppet (err): Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for XXX to PuppetDB at puppetdb.aus-tx.colo:8081: SSL_connect SYSCALL returne

Fri, 30 Nov 2012 13:13:39 -0800 

I'm not sure if I'm correct but what I understood after spending a few
hours on it:

Let's suppose you have:

certname: puppet.example.com

puppet_ca.example.com
puppet_worker1.example.com
puppet_worker2.example.com
puppetdb1.example.com

Your PuppetDB registered with your CA using the certname puppet.example.com,
but your puppet workers only have their own certnames (
puppet_worker1.example.com and puppet_worker2.example.com). When they talk
with PuppetDB to fetch/replace the facts, PuppetDB doesn't accept their
certificates because it was registered to the certname puppet.example.com.

Copying the puppet.example.com certificate from CA to the workers make them
to use it when responding to a puppet run under that certname.

Felipe

On Fri, Nov 30, 2012 at 12:09 PM, Kalyana sundaram <kalyan...@gmail.com>wrote:

> Thanks Felipe
> Syncing certs privatekeys with ca_server worked
> But could somebody help me understand why each masters should have ca
> server's private key?
> How exactly this authentication process works?
>
> On Thursday, November 29, 2012 11:55:08 PM UTC+5:30, Felipe Salum wrote:
>>
>> I had the same setup issue.
>>
>> Go to your CA server and copy the puppet master unique certname .pem
>> from /var/lib/puppet/ssl/{certs,**private_key/ to both your puppet
>> master workers and restart apache.
>>
>> Also make sure to follow this: http://docs.puppetlabs.com/**
>> guides/scaling_multiple_**masters.html<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html>
>>
>> The dns_alt_names part is very important:
>>
>>  $ sudo puppet agent --test --dns_alt_names 
>> "master2.example.com,puppet,pu**ppet.example.com <http://puppet.example.com>"
>>
>>
>> I hope it helps, I spent a few hours until I got it figured out :)
>>
>> Regards,
>> Felipe
>>
>>  --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To view this discussion on the web visit
> https://groups.google.com/d/msg/puppet-users/-/dleFJ_6wh-EJ.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to