from:"Vassiliy Vins"

Re: [Puppet Users] puppetmaster + hearbeat + mon

2014-02-07 Thread vassiliy vins

Thnx, Felix
I'll try today

On 7 February 2014 02:40, Felix Frank felix.fr...@alumni.tu-berlin.dewrote:

Hi,

good thinking, but the CA certificate is not used when accepting SSL
connections (or it shouldn't be, as far as I'm concerned).

You can determine the certificate that is presented using

openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is
your masterport).

You may need to share the server cert among your masters, not only the
CA cert.

HTH,
Felix

On 01/27/2014 06:59 PM, Vassiliy Vins wrote:
#openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on
secondary puppetmaster
gives CN=Puppet CA:puppetserver.ops.ss

--
You received this message because you are subscribed to a topic in the
Google Groups Puppet Users group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/WpkKz80Jxn4/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/52F4AA08.8010503%40alumni.tu-berlin.de
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YxOfSX6q1Vm4uUQCzd3CckoPt_QrDzkv%3D0YNFDbtzeuGQ%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: CA puppetmaster

2014-01-31 Thread Vassiliy Vins

So, I have to copy ca/ directory from primary puppetmaster to secondary
one? Right?

I did, no success , the same message Server hostname 'puppetserver' did
not match server certificate; expected puppetslave
I can formulate my question with another words - why does client expect
puppetslave, where it takes from this host name?
May be I need to put cert_name line on my secondary puppetmaster?

On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote:

On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote:

Hi!

I have 2 puppetmasters with High availability configuration.

If first dead, second starts.

Could you tell me which file from $ssl_dir of primary should I copy to
secondary puppetmaster that clients recognize it as primary one?

Any amendments should I make inside files?

Thank you

The cert material is in /var/lib/puppet/ssl/ca, you would need the

$SSL_dir/ca/private/ca.pass
$SSL_dir/ca/ca*.pem

I think this might work better if you have a floating virtual IP address
that switches between the two puppet servers. You will need to keep the
entire $SSL_dir, and all the manifest dirs synced, so when your second
machine comes up, it has all the latest signed certs, content etc. You can
use DRBD for the entire paprtion, or csync for selected dirs to achieve
this ...

But given puppet only implements changes to files ... is it really so
critical that it requires a HA solution of this complexity ? I kind of have
my doubts. If puppet goes offline for 30mins while you restore a vm image,
most of the clients will error once, and then resume working the next time
they check in.

Andrew

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: CA puppetmaster

2014-01-31 Thread vassiliy vins

Yes, I did, because I copied the whole ca/ directory from my primary. And
private/ folder is inside of ca/

What I discovered right now - client gets secondary puppetmasters' name and
compare with the name in certificate.
If they do not match each other , it does not accept certificate.

On 31 January 2014 13:33, José Luis Ledesma joseluis.lede...@gmail.comwrote:

I don't have experience with ca in ha, but I think you should copy also ca
private keys.
El 31/01/2014 21:19, Vassiliy Vins vassiliy.v...@gmail.com escribió:

So, I have to copy ca/ directory from primary puppetmaster to secondary
one? Right?

On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote:

On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote:

Hi!

I have 2 puppetmasters with High availability configuration.

If first dead, second starts.

Could you tell me which file from $ssl_dir of primary should I copy
to secondary puppetmaster that clients recognize it as primary one?

Any amendments should I make inside files?

Thank you

The cert material is in /var/lib/puppet/ssl/ca, you would need the

$SSL_dir/ca/private/ca.pass
$SSL_dir/ca/ca*.pem

Andrew

To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to a topic in the
Google Groups Puppet Users group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAF_B3dc-c2S86eaJs8SV%3D0EJkt38Z7o6z_BdyqBX72tJPw4ZaA%40mail.gmail.com
.

For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YyX%2B55dTQu%3DMYKDLj2AW4WTfbF4g9%3Dtgkg6TohJ_%2BoxHg%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Re: puppet ERROR 400

2014-01-30 Thread Vassiliy Vins

solved thank you

On Wednesday, January 15, 2014 2:15:00 PM UTC-7, Vassiliy Vins wrote:

 Hi!

 I've created 2 files:

 file *test.pp* with code :

 class copy {

 file {testfile:
 path = /home/vassiliy/myfile,
 source = puppet:///mpoint/client1/testfile,
 mode = '644'
 }
 }

 and file site.pp wuth code:

 import test.pp

 node client1 {
 include copy
 }

 in fileserver.conf was created section like:

 [mpoint]

 path /etc/puppet/files
 allow *

 file *testfile* is in folder /etc/puppet/files/client1/

 I got on client1/var/log/messages  next:

 ERROR 400 on SERVER: Not authorized to call find on 
 /file_metadata/client1/testfile with {:links = manage}

 Any ideas, why? where to look at? thnx


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/b43b1b68-b81d-4cc2-8bb7-3390426e5cf4%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] Re: CA puppetmaster

2014-01-29 Thread vassiliy vins

Thank you, Andrew!
I'll try tomorrow.
In High Availability I have floating IP (better to say redundant IP).
I don't think that we need HA for puppet, but my boss insists on.
Regards,
Vassiliy

On 29 January 2014 21:37, Andrew andrewgray1...@gmail.com wrote:

On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote:

Hi!

I have 2 puppetmasters with High availability configuration.

If first dead, second starts.

Could you tell me which file from $ssl_dir of primary should I copy to
secondary puppetmaster that clients recognize it as primary one?

Any amendments should I make inside files?

Thank you

The cert material is in /var/lib/puppet/ssl/ca, you would need the

$SSL_dir/ca/private/ca.pass
$SSL_dir/ca/ca*.pem

Andrew

--
You received this message because you are subscribed to a topic in the
Google Groups Puppet Users group.
To unsubscribe from this topic, visit
https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe.
To unsubscribe from this group and all its topics, send an email to
puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/7f499bfa-15ee-4a93-bce6-6da4fd72e0fe%40googlegroups.com
.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YwP%2BRsnT4LM0TsWDTr_3UJT5pw8LsOd1BBmLzQbbkCcpA%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] puppetmaster + hearbeat + mon

2014-01-27 Thread Vassiliy Vins

Hi!

2 puppetmasters and 1 client installed on VMware. I'm using  puppetversion 
3.4.2 on all 3 hosts

2 pupetmasters, one as primary  (hostname =puppetserver.ops.ss) , second 
(hostname=puppetslave) as secondary, client (hostname=client.ops.ss). High 
availability and all other steps  -  exactly as described on this link 
http://projects.puppetlabs.com/projects/1/wiki/High_Availability_Patterns

2 puppetmasters + 1 client  in 192.168.1.x network

2 puppetmasters connected via 10.0.0.x network for heartbeat purposes. ( 
primary 10.0.0.1, secondary 10.0.0.2,  redundant IP 192.168.1.200)
heartbeat works

I moved ca_crl.pem to secondary puppetmaster according to link above.

primary puppetmaster
*/etc/hosts*
127.0.0.1 puppetserver
192.168.1.20 client
192.168.1.30 puppetslave

*puppet.conf*
all defaults , only added in
[main]
ca =true


secondary puppetmaster
*/etc/hosts*
127.0.0.1 puppetslave
192.168.1.20client
192.168.1.10puppetserver.ops.ss

*puppet.conf*
[main]
server = puppetserver.ops.ss
listen = true
ca = false
ca_server = puppetserver.ops.ss

client
*/etc/hosts*
127.0.0.1client
192.168.1.200 puppetserver.ops.ss

*puppet.conf*
[main]
server = puppetserver.ops.ss
listen = true

Client machine gets certificate and puppet works with primary puppetmaster 
-   no problem at all.

Now I stop primary puppetmaster,   wait for secondary takes 192.168.1.200  
redundant ipand trying on client machine:
#puppet agent --server puppetserver.ops.ss --waitforcert 45 --test --verbose
trying to get certificate from secondary puppetmaster for testing purposes.

And I got respond :
Could not retrieve catalog from remote  server: Server hostname 
'puppetserver.ops.ss' did not match server certificate; expected puppetslave

Could you help me with the problem? What's wrong?   

#openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem   on 
secondary puppetmaster
gives CN=Puppet  CA:puppetserver.ops.ss

in my understanding secondary puppetmaster shoud send respond  as primary 
one (puppetserver.ops.ss), when first one is dead 
and actually it does,  why client does not accept it?

Thank you for your help

























-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/8d59db1d-14b4-44f6-987d-960d45938d36%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] CA puppetmaster

2014-01-27 Thread Vassiliy Vins

Hi!

I have 2 puppetmasters with High availability configuration.

If first dead, second starts.

Could you tell me which file from  $ssl_dir of primary  should I copy to 
secondary  puppetmaster that clients recognize it as primary one?

Any amendments should I make inside files?

Thank you

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/cf21db49-f71c-4c29-90b9-861c1cb63599%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] puppet ERROR 400

2014-01-15 Thread Vassiliy Vins

Hi!

I've created 2 files:

file *test.pp* with code :

class copy {

file {testfile:
path = /home/vassiliy/myfile,
source = puppet:///mpoint/client1/testfile,
mode = '644'
}
}

and file site.pp wuth code:

import test.pp

node client1 {
include copy
}

in fileserver.conf was created section like:

[mpoint]

path /etc/puppet/files
allow *

file *testfile* is in folder /etc/puppet/files/client1/

I got on client1/var/log/messages  next:

ERROR 400 on SERVER: Not authorized to call find on 
/file_metadata/client1/testfile with {:links = manage}

Any ideas, why? where to look at? thnx

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/eecbeecc-ff52-40f5-9af5-abe3eae5aba6%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppetmaster + hearbeat + mon

[Puppet Users] Re: CA puppetmaster

Re: [Puppet Users] Re: CA puppetmaster

[Puppet Users] Re: puppet ERROR 400

Re: [Puppet Users] Re: CA puppetmaster

[Puppet Users] puppetmaster + hearbeat + mon

[Puppet Users] CA puppetmaster

[Puppet Users] puppet ERROR 400

8 matches

Site Navigation

Mail list logo

Footer information