To your specific issue, it looks like your agent's CA cert doesn't match the
issuer of the new puppetmaster's CA cert ("unable to get local issuer
certificate"). If I recall correctly, an agent without a CA cert will download
one from the puppetmaster the first time and thereafter check it. You might
check the cert chains to see what's going on, or if you downloaded the CA cert
at all.
Otherwise I noticed this bit:
# rpm -rf /var/lib/puppet/ssl /etc/puppet/ssl /etc/puppetlabs/puppet/ssl
# ssh puppet puppet cert list host.internal.net
Error: Could not find a certificate for host.internal.net
Is it supposed to say rpm not rm? I Presume it's just the logging which is
removing the quotes too.
Rhubarbing more generally, I had some success syncing the ssl directory during
our own 3->4 update. I never found a reason to use a new cert for the same host
when I already had one.
file { '/etc/puppetlabs/puppet/ssl':
ensure => directory,
backup => false,
recurse => true,
recurselimit => 99,
require => Package[$package],
source => '/var/lib/puppet/ssl',
}
The catalog with that class was only a during-update thing, of course.
if versioncmp($::puppetversion, '4.0.0') >= 0 {
include "role::${::stype}"
}
else {
include ::puppet_upgrade
}
Otherwise you could:
rsync -a --delete /var/lib/puppet/ssl /etc/puppetlabs/puppet/
On Tue, Jun 14, 2016 at 06:39:13AM -0700, Bret Wortman wrote:
> So I'm trying to use Ansible to automate the process of re-enrolling all
> my systems after the upgrade from 3.8.6 to 4.3, and many (though not all)
> of my clients are reporting thusly:
> # rpm -rf /var/lib/puppet/ssl /etc/puppet/ssl /etc/puppetlabs/puppet/ssl
> # ssh puppet puppet cert list host.internal.net
> Error: Could not find a certificate for host.internal.net
> # puppet agent -t --noop
> Info: Creating a new SSL key for host.internal.net
> Info: Caching certificate for ca
> Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
> Info: Creating a new SSL certificate request for host.internal.net
> Info: Certificate Request fingerprint (SHA256): 75:6A:17:...
> Info: Caching certificate for host.internal.net
> Error: Could not request certificate: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed: [unable
> to get local issuer certificate for /CN=puppet.internal.net]
> Exiting: failed to retrieve certificate and waitforcert is disabled
> # ssh root@puppet puppet cert list -a | grep host.internal.net
> + "host.internal.net" (SHA256) 42:AF:68:...
> # puppet agent --version
> 3.8.6
> #
> I'm having success on other 3.8.6 clients and others as far back as 3.8.1.
> What's going on here that I'm not understanding?
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to [1]puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
>
> [2]https://groups.google.com/d/msgid/puppet-users/6717bc33-381d-4890-90c0-a9be684dc9e5%40googlegroups.com.
> For more options, visit [3]https://groups.google.com/d/optout.
>
> References
>
> Visible links
> 1. mailto:puppet-users+unsubscr...@googlegroups.com
> 2.
> https://groups.google.com/d/msgid/puppet-users/6717bc33-381d-4890-90c0-a9be684dc9e5%40googlegroups.com?utm_medium=email&utm_source=footer
> 3. https://groups.google.com/d/optout
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/20160614135035.GA7666%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.
