On Tuesday, January 29, 2013 1:40:17 AM UTC-6, Rainer Bendig wrote: > > Hi, > > we are running several debian squeeze (64 bit, no backports) and a > puppetmaster (3.0.2). > > now i wanted to upgrade the agents from 3.0.1 to 3.0.2, and got stuck... > the "new" 3.0.2 agents don't connect to the master... 3.0.1 agents still > do... i run puppet master in debug mode, and didn't see any communications > between agent and master... "puppet" and "puppet.foo.bar" are both > resolving to the right puppet host, the machines are on the same subnet, > and did work under 3.0.1 ;( > > the error from the 3.0.2 agents is > > [...] > [certificate signature failure for /CN=puppet..foo.bar] Could not retrieve > file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 > state=SSLv3 read server certificate B: certificate verify failed: > [certificate signature failure for /CN=puppet.foo.bar] > [...] >
Look for differences in puppet.conf between broken and working clients. Especially make sure that the broken clients are pointed at the correct master. Also verify that the clients' and master's clocks are synchronized. If none of that reveals the problem, then probably the upgrades clobbered part of the clients' SSL configuration. I can't speak to how or why that happened, but to go forward you probably need to re-establish trust between clients and master. To do so on an affected client: 1. Shut down the Puppet agent 2. Revoke and remove the client certificate from the master, via "puppet ca" 3. Blow away the *client's* SSL directory, normally /var/lib/puppet/ssl 4. Restart the agent, possibly with the --waitforcert option turned on 5. Sign the client's new certificate request via "puppet ca" (on the master) John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
