I think this should be put somewhere in a wiki or the docs.
/me referencing this email for future Best, Nikola On Fri, Feb 08, 2013 at 03:58:22PM -0800, Nick Fagerlund wrote: > If a brand new never-seen-before agent starts up, it goes like this: > > * Do I have a private key? Nope? Better generate one. > * Okay, do I have a certificate? Nope? See if the master already has one > for me. This looks like a GET request to /certificate/<node name>. > * If it gets one, it's good to go. > * Master didn't give me a cert. Okay, have I submitted a certificate > signing request before? Look in $ssldir/certificate_requests for my own > name. > * If there's one there, it bails and waits, assuming it's waiting for the > master to sign that thing. > * Okay, there's nothing there, but maybe I developed amnesia. Better ask > the master if I've asked for one. This looks like a GET request to > /certificate_request/<node name>. > * If the master says it's already asked, it will just bail and say "I'm > still waiting for that." > * Okay, I never even asked for a cert, it looks like. Well, time to ask for > one. This looks like a PUT request to /certificate_request/<node name>. > * Now if autosign is turned on, it can GET /certificate/<node name> and > continue; otherwise it'll bail and go through this whole process again next > time, in which case it says "yes I have a private key, no I don't have a > cert" and gets to work on the second step above. > > What I'm seeing in that snippet from your log is that it seems to think it > has submitted a certificate request before. I just tested with my own > machines, and it looks like if your agent still has a > $ssldir/certificate_requests/name.pem file sitting around (and crucially, > it doesn't automatically destroy these when it gets a cert, so if it used > to have a cert and you didn't nuke the whole SSLdir, it's probably there), > it asks for a cert but doesn't ask the master if it's ever asked for a > cert. > > So check that certificate_requests dir and nuke it if there's anything > there, then get back to us? > > On Wednesday, February 6, 2013 10:23:28 AM UTC-8, Bret Wortman wrote: > > > > My test node doesn't have its certs either. > > > > I've now started puppetmaster in verbose mode: > > > > # puppet master --no-daemonize --verbose > > : > > : > > : > > Info: Could not find certificate for 'nodename.my.net' > > Info: Could not find certificate for 'nodename.my.net' > > Info: Could not find certificate for 'nodename.my.net' > > > > This will repeat three times whenever I try to connect. For another node > > that tried to connect while I was testing, I get something more sinister: > > > > Warning: Denying access: Forbidden request: othernode.my.net(10.0.0.1) > > access to /file_metadata/plugins [search] at :99 > > Error: Forbidden request: othernode.my.net(10.0.0.1) access to > > /file_metadata/plugins [search] at :99 > > Info: access[/]: defaulting to no access for othernode.my.net > > > > Also repeating four times; one [search], two [find]s and a [save]. > > > > > > On Wednesday, February 6, 2013 1:18:52 PM UTC-5, Wolf Noble wrote: > >> > >> Did you try removing the cert from a node and seeing if that changes the > >> behavior? you removed the certs from the master, but the node still thinks > >> it has a valid cert maybe? > >> > >> > >> ________________________________ > >> > >> This message may contain confidential or privileged information. If you > >> are not the intended recipient, please advise us immediately and delete > >> this message. See http://www.datapipe.com/legal/email_disclaimer/ for > >> further information on confidentiality and the risks of non-secure > >> electronic communication. If you cannot access these links, please notify > >> us by reply message and we will send the contents to you. > >> > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
