Hi John, I've already run through those steps, and everything is communicating as expected.
Thank you, Rog On Tuesday, November 18, 2014 9:37:16 AM UTC-5, jcbollinger wrote: > > > > On Monday, November 17, 2014 10:26:41 PM UTC-6, Roger Sherman wrote: >> >> I'm in the process of setting up a staging environment for the company I >> work for. To do this, we've cloned our production environment (vmware), >> changed the hostnames of the nodes, re-IP'd the nodes, and since that >> point, I've been trying to get the environment to the point where I can do >> puppet runs. This is proving difficult, because of a couple SSL issues that >> have arisen. >> >> We are using Puppet 2.7 on Debian 6 (one of the plans for the staging >> environment in the first quarter of next year is going to be testing a lot >> of upgrades). Right now, I'm just focusing on two nodes - the puppet master >> and a client node, simply trying to get a successful run done on the client >> node. For that matter, a successful --noop run. What happens now is the >> following: >> >> # puppet agent -tv --noop >> >> err: Could not request certificate: SSL_connect returned=1 errno=0 >> state=SSLv2/v3 read server hello A: unknown protocol >> >> Exiting; failed to retrieve certificate and waitforcert is disabled >> >> I can ping the puppet master successfully, there is no issue with node to >> node connectivity. Some googling suggested that time sync could be an >> issue, and initially it was, but they're synced up now, to no effect. I've >> of course blown out the certs on the client, since there was a hostname >> change. >> > > Check the client's puppet.conf to see by what name the client is trying to > contact the server (parameter 'server'). If no server is specified then > the default is 'puppet'. Ensure that the server name the client is using > resolves to the master you want it to contact, and that the puppetmaster > process is in fact running on that machine. Also check the master's > firewall settings, which conceivably are incorrect for the cloned > environment. > > > John > > > > >> I actually just tried doing a --noop run on the puppet master itself, >> just to see what would happen. I didn't expect it to be successful...due to >> the way it's set up (long story short, I inherited this system, and would >> not have set it up this way), I've never been able to do a successful >> puppet run on it. This time, though, not only wasn't successful, but I'm >> getting similar SSL errors: >> >> ... >> >> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources >> using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read >> server hello A: unknown protocol >> >> ... >> >> err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect >> returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol >> Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect >> returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol >> >> ... >> >> err: Could not retrieve catalog from remote server: SSL_connect >> returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol >> >> ... >> >> err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv2/v3 >> read server hello A: unknown protocol >> >> with a bunch of ruby noise in between each error. >> >> >> I have blown out all the certs on the puppet master, and regenerated, as >> detailed in step 1: >> >> >> https://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html >> >> For a brief, shining moment, I thought that was going to do the job, but >> then it didn't generate a couple certs that apache needed to restart, and >> when I tried to generate them manually, puppet failed to sign them. >> >> >> Any thoughts on where to begin? I'll be happy to provide any more >> information deemed necessary. I'm at the point where I'm just going to >> start making changes to nodes in the environment manually...honestly, I'm >> hoping I don't have to do that, so very much hoping someone here can help >> me through this. >> >> Thanks very much in advance, >> >> Rog >> >> >> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/435d15eb-03cb-4109-a8d9-3757cbecb9c8%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
