Re: [Puppet Users] puppetmaster + hearbeat + mon
Thnx, Felix I'll try today On 7 February 2014 02:40, Felix Frank felix.fr...@alumni.tu-berlin.dewrote: Hi, good thinking, but the CA certificate is not used when accepting SSL connections (or it shouldn't be, as far as I'm concerned). You can determine the certificate that is presented using openssl s_client -connect puppetserver.ops.ss:8445 (assuming that is your masterport). You may need to share the server cert among your masters, not only the CA cert. HTH, Felix On 01/27/2014 06:59 PM, Vassiliy Vins wrote: #openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster gives CN=Puppet CA:puppetserver.ops.ss -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/WpkKz80Jxn4/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52F4AA08.8010503%40alumni.tu-berlin.de . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YxOfSX6q1Vm4uUQCzd3CckoPt_QrDzkv%3D0YNFDbtzeuGQ%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: CA puppetmaster
So, I have to copy ca/ directory from primary puppetmaster to secondary one? Right? I did, no success , the same message Server hostname 'puppetserver' did not match server certificate; expected puppetslave I can formulate my question with another words - why does client expect puppetslave, where it takes from this host name? May be I need to put cert_name line on my secondary puppetmaster? On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote: On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: Hi! I have 2 puppetmasters with High availability configuration. If first dead, second starts. Could you tell me which file from $ssl_dir of primary should I copy to secondary puppetmaster that clients recognize it as primary one? Any amendments should I make inside files? Thank you The cert material is in /var/lib/puppet/ssl/ca, you would need the $SSL_dir/ca/private/ca.pass $SSL_dir/ca/ca*.pem I think this might work better if you have a floating virtual IP address that switches between the two puppet servers. You will need to keep the entire $SSL_dir, and all the manifest dirs synced, so when your second machine comes up, it has all the latest signed certs, content etc. You can use DRBD for the entire paprtion, or csync for selected dirs to achieve this ... But given puppet only implements changes to files ... is it really so critical that it requires a HA solution of this complexity ? I kind of have my doubts. If puppet goes offline for 30mins while you restore a vm image, most of the clients will error once, and then resume working the next time they check in. Andrew -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: CA puppetmaster
Yes, I did, because I copied the whole ca/ directory from my primary. And private/ folder is inside of ca/ What I discovered right now - client gets secondary puppetmasters' name and compare with the name in certificate. If they do not match each other , it does not accept certificate. On 31 January 2014 13:33, José Luis Ledesma joseluis.lede...@gmail.comwrote: I don't have experience with ca in ha, but I think you should copy also ca private keys. El 31/01/2014 21:19, Vassiliy Vins vassiliy.v...@gmail.com escribió: So, I have to copy ca/ directory from primary puppetmaster to secondary one? Right? I did, no success , the same message Server hostname 'puppetserver' did not match server certificate; expected puppetslave I can formulate my question with another words - why does client expect puppetslave, where it takes from this host name? May be I need to put cert_name line on my secondary puppetmaster? On Wednesday, January 29, 2014 9:37:01 PM UTC-7, Andrew wrote: On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: Hi! I have 2 puppetmasters with High availability configuration. If first dead, second starts. Could you tell me which file from $ssl_dir of primary should I copy to secondary puppetmaster that clients recognize it as primary one? Any amendments should I make inside files? Thank you The cert material is in /var/lib/puppet/ssl/ca, you would need the $SSL_dir/ca/private/ca.pass $SSL_dir/ca/ca*.pem I think this might work better if you have a floating virtual IP address that switches between the two puppet servers. You will need to keep the entire $SSL_dir, and all the manifest dirs synced, so when your second machine comes up, it has all the latest signed certs, content etc. You can use DRBD for the entire paprtion, or csync for selected dirs to achieve this ... But given puppet only implements changes to files ... is it really so critical that it requires a HA solution of this complexity ? I kind of have my doubts. If puppet goes offline for 30mins while you restore a vm image, most of the clients will error once, and then resume working the next time they check in. Andrew -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f8f757f1-30bd-41b9-a6d4-8ebc368bda64%40googlegroups.com . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAF_B3dc-c2S86eaJs8SV%3D0EJkt38Z7o6z_BdyqBX72tJPw4ZaA%40mail.gmail.com . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YyX%2B55dTQu%3DMYKDLj2AW4WTfbF4g9%3Dtgkg6TohJ_%2BoxHg%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Re: puppet ERROR 400
solved thank you On Wednesday, January 15, 2014 2:15:00 PM UTC-7, Vassiliy Vins wrote: Hi! I've created 2 files: file *test.pp* with code : class copy { file {testfile: path = /home/vassiliy/myfile, source = puppet:///mpoint/client1/testfile, mode = '644' } } and file site.pp wuth code: import test.pp node client1 { include copy } in fileserver.conf was created section like: [mpoint] path /etc/puppet/files allow * file *testfile* is in folder /etc/puppet/files/client1/ I got on client1/var/log/messages next: ERROR 400 on SERVER: Not authorized to call find on /file_metadata/client1/testfile with {:links = manage} Any ideas, why? where to look at? thnx -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/b43b1b68-b81d-4cc2-8bb7-3390426e5cf4%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Re: CA puppetmaster
Thank you, Andrew! I'll try tomorrow. In High Availability I have floating IP (better to say redundant IP). I don't think that we need HA for puppet, but my boss insists on. Regards, Vassiliy On 29 January 2014 21:37, Andrew andrewgray1...@gmail.com wrote: On Tuesday, 28 January 2014 09:49:57 UTC+10, Vassiliy Vins wrote: Hi! I have 2 puppetmasters with High availability configuration. If first dead, second starts. Could you tell me which file from $ssl_dir of primary should I copy to secondary puppetmaster that clients recognize it as primary one? Any amendments should I make inside files? Thank you The cert material is in /var/lib/puppet/ssl/ca, you would need the $SSL_dir/ca/private/ca.pass $SSL_dir/ca/ca*.pem I think this might work better if you have a floating virtual IP address that switches between the two puppet servers. You will need to keep the entire $SSL_dir, and all the manifest dirs synced, so when your second machine comes up, it has all the latest signed certs, content etc. You can use DRBD for the entire paprtion, or csync for selected dirs to achieve this ... But given puppet only implements changes to files ... is it really so critical that it requires a HA solution of this complexity ? I kind of have my doubts. If puppet goes offline for 30mins while you restore a vm image, most of the clients will error once, and then resume working the next time they check in. Andrew -- You received this message because you are subscribed to a topic in the Google Groups Puppet Users group. To unsubscribe from this topic, visit https://groups.google.com/d/topic/puppet-users/ftmrYoS4qNE/unsubscribe. To unsubscribe from this group and all its topics, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/7f499bfa-15ee-4a93-bce6-6da4fd72e0fe%40googlegroups.com . For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAO%2BK8YwP%2BRsnT4LM0TsWDTr_3UJT5pw8LsOd1BBmLzQbbkCcpA%40mail.gmail.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppetmaster + hearbeat + mon
Hi! 2 puppetmasters and 1 client installed on VMware. I'm using puppetversion 3.4.2 on all 3 hosts 2 pupetmasters, one as primary (hostname =puppetserver.ops.ss) , second (hostname=puppetslave) as secondary, client (hostname=client.ops.ss). High availability and all other steps - exactly as described on this link http://projects.puppetlabs.com/projects/1/wiki/High_Availability_Patterns 2 puppetmasters + 1 client in 192.168.1.x network 2 puppetmasters connected via 10.0.0.x network for heartbeat purposes. ( primary 10.0.0.1, secondary 10.0.0.2, redundant IP 192.168.1.200) heartbeat works I moved ca_crl.pem to secondary puppetmaster according to link above. primary puppetmaster */etc/hosts* 127.0.0.1 puppetserver 192.168.1.20 client 192.168.1.30 puppetslave *puppet.conf* all defaults , only added in [main] ca =true secondary puppetmaster */etc/hosts* 127.0.0.1 puppetslave 192.168.1.20client 192.168.1.10puppetserver.ops.ss *puppet.conf* [main] server = puppetserver.ops.ss listen = true ca = false ca_server = puppetserver.ops.ss client */etc/hosts* 127.0.0.1client 192.168.1.200 puppetserver.ops.ss *puppet.conf* [main] server = puppetserver.ops.ss listen = true Client machine gets certificate and puppet works with primary puppetmaster - no problem at all. Now I stop primary puppetmaster, wait for secondary takes 192.168.1.200 redundant ipand trying on client machine: #puppet agent --server puppetserver.ops.ss --waitforcert 45 --test --verbose trying to get certificate from secondary puppetmaster for testing purposes. And I got respond : Could not retrieve catalog from remote server: Server hostname 'puppetserver.ops.ss' did not match server certificate; expected puppetslave Could you help me with the problem? What's wrong? #openss x509 -text -noout -in /var/lib/puppet/ssl/certs/ca.pem on secondary puppetmaster gives CN=Puppet CA:puppetserver.ops.ss in my understanding secondary puppetmaster shoud send respond as primary one (puppetserver.ops.ss), when first one is dead and actually it does, why client does not accept it? Thank you for your help -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8d59db1d-14b4-44f6-987d-960d45938d36%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] CA puppetmaster
Hi! I have 2 puppetmasters with High availability configuration. If first dead, second starts. Could you tell me which file from $ssl_dir of primary should I copy to secondary puppetmaster that clients recognize it as primary one? Any amendments should I make inside files? Thank you -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/cf21db49-f71c-4c29-90b9-861c1cb63599%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppet ERROR 400
Hi! I've created 2 files: file *test.pp* with code : class copy { file {testfile: path = /home/vassiliy/myfile, source = puppet:///mpoint/client1/testfile, mode = '644' } } and file site.pp wuth code: import test.pp node client1 { include copy } in fileserver.conf was created section like: [mpoint] path /etc/puppet/files allow * file *testfile* is in folder /etc/puppet/files/client1/ I got on client1/var/log/messages next: ERROR 400 on SERVER: Not authorized to call find on /file_metadata/client1/testfile with {:links = manage} Any ideas, why? where to look at? thnx -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/eecbeecc-ff52-40f5-9af5-abe3eae5aba6%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.