Hi, I'm trying to layer out PE3 as follows;
1) Puppet console / Active CA (autosigning) 2) Puppet Master (non-CA) 3) PuppetDB 4) Puppet Client - for testing 5) HAProxy presenting the puppet service address, forwarding 443 to the console, and 8140 to the PM. (Let's not worry about MCollective yet) The PM and PuppetDB both had their certs signed against the Console / CA, and both can do a puppet agent -t I've setup the SSL proxying on the PM1 as follows; ############# # Enable SSLProxyEngine for proxying SSL connections SSLProxyEngine On # Disable PassengerHighPerformance because of proxy_http -%> PassengerHighPerformance Off # Add the mod_proxy redirect -%> ProxyPassMatch ^/([^/]+/certificate.*)$ https://puppetcon.puppetlabs.net:8140/$1 # ProxyPassReverse ^/([^/]+/certificate.*)$ https://puppetcon.puppetlabs.net:8140/$1 ############# When I initially run puppet agent -t on the client, the CSR is generated, and signed on the CA. There are errors all subsequent runs from the client; [root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t Warning: Unable to fetch my node definition, but the agent run will continue: Warning: Error 400 on SERVER: Could not retrieve facts for puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A Info: Retrieving plugin Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb ( snip) Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for puppetclient.puppetlabs.net to PuppetDB at puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run The error appears to be an SSL issue associated with talking to PuppetDB as per the following entry in the puppetdb.log file. [io.nio] javax.net.ssl.SSLHandshakeException: null cert chain My java/jre stuff currently installed is as follows; root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre rc openjdk-6-jre-headless 6b27-1.12.6-1ubuntu0.12.04.2 OpenJDK Java runtime, using Hotspot JIT (headless) rc openjdk-7-jre-headless 7u25-2.3.10-1ubuntu0.12.04.2 OpenJDK Java runtime, using Hotspot JIT (headless) root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java rc ca-certificates-java 20110912ubuntu6 Common CA certificates (JKS keystore) ii java-common 0.43ubuntu2 Base of all Java packages ii pe-java 1.7.0.19-1puppet1 OpenJDK Development Kit (JDK) ii tzdata-java 2012e-0ubuntu0.12.04.1 time zone and daylight-saving time data for use by java runtimes root@puppetdb:/var/log/pe-puppetdb# JAVA_HOME, or any of this sort of variable is not set in my env. I did see this one which talks about the issue, but no resolutions? https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ Any assistance would be greatly appreciated! Regs, Stephen -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.