Hi,
I'm trying to layer out PE3 as follows;
1) Puppet console / Active CA (autosigning)
2) Puppet Master (non-CA)
3) PuppetDB
4) Puppet Client - for testing
5) HAProxy presenting the puppet service address, forwarding 443 to the
console, and 8140 to the PM. (Let's not worry about MCollective yet)
The PM and PuppetDB both had their certs signed against the Console / CA,
and both can do a puppet agent -t
I've setup the SSL proxying on the PM1 as follows;
#############
# Enable SSLProxyEngine for proxying SSL connections
SSLProxyEngine On
# Disable PassengerHighPerformance because of proxy_http -%>
PassengerHighPerformance Off
# Add the mod_proxy redirect -%>
ProxyPassMatch ^/([^/]+/certificate.*)$
https://puppetcon.puppetlabs.net:8140/$1
# ProxyPassReverse ^/([^/]+/certificate.*)$
https://puppetcon.puppetlabs.net:8140/$1
#############
When I initially run puppet agent -t on the client, the CSR is generated,
and signed on the CA. There are errors all subsequent runs from the client;
[root@puppetclient puppet]# /opt/puppet/bin/puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 400 on SERVER: Could not retrieve facts for
puppetclient.puppetlabs.net: Failed to find facts from PuppetDB at
puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5 errno=0
state=SSLv3 read finished A
Info: Retrieving plugin
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/puppet_vardir.rb
( snip)
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/custom_auth_conf.rb
Info: Loading facts in /var/opt/lib/pe-puppet/lib/facter/concat_basedir.rb
Error: Could not retrieve catalog from remote server: Error 400 on SERVER:
Failed to submit 'replace facts' command for puppetclient.puppetlabs.net to
PuppetDB at puppetdb.puppetlabs.net:8081: SSL_connect SYSCALL returned=5
errno=0 state=SSLv3 read finished A
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
The error appears to be an SSL issue associated with talking to PuppetDB as
per the following entry in the puppetdb.log file.
[io.nio] javax.net.ssl.SSLHandshakeException: null cert chain
My java/jre stuff currently installed is as follows;
root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep jre
rc openjdk-6-jre-headless 6b27-1.12.6-1ubuntu0.12.04.2 OpenJDK
Java runtime, using Hotspot JIT (headless)
rc openjdk-7-jre-headless 7u25-2.3.10-1ubuntu0.12.04.2 OpenJDK
Java runtime, using Hotspot JIT (headless)
root@puppetdb:/var/log/pe-puppetdb# dpkg -l|grep java
rc ca-certificates-java 20110912ubuntu6 Common
CA certificates (JKS keystore)
ii java-common 0.43ubuntu2 Base of
all Java packages
ii pe-java 1.7.0.19-1puppet1 OpenJDK
Development Kit (JDK)
ii tzdata-java 2012e-0ubuntu0.12.04.1 time
zone and daylight-saving time data for use by java runtimes
root@puppetdb:/var/log/pe-puppetdb#
JAVA_HOME, or any of this sort of variable is not set in my env.
I did see this one which talks about the issue, but no resolutions?
https://groups.google.com/forum/#!msg/puppet-users/iD3gYQPDH2Q/zhASUzRhK7EJ
Any assistance would be greatly appreciated!
Regs,
Stephen
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
