[Puppet Users] Puppet Certificate Issues
Hello, we currently have a puppet docker container setup and are experiencing certificate issues. Basically, in our docker setup (on our main server) I had generated and signed new certificates, but the puppet_db container keeps restarting. Here are logs from the puppet_db container: ‘Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=our.puppet.domain] Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get local issuer certificate for /CN=our.puppet.domain]’ I have tried series of steps to solve this problem as it looks like Puppet is not functioning correctly as our servers are not properly listening to the host server. Any idea what I can do to solve this problem? For reference, we are running Puppet_DB version 4.2 and Puppet Server version 2.7.2, all of which is set up on a docker container environment on one server. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/66479e42-5d70-41b0-a0d9-0774e273fdab%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet certificate
> Le 10 avr. 2017 à 19:13, Martin Alfkea écrit : > > Hi Fabrice, > >> On 05 Apr 2017, at 17:02, Fabrice Bacchella >> wrote: >> >> One more problem, since puppet certificate --ca-location remote destroy does >> nothing, what is the whole point of puppet certificate ? A puppet generate >> for the same host fails because it already exist, So I can't use it to >> remotely manage the puppet's PKI. It undermine the whole point of the >> command. > > Have you tried puppet cert clean ? puppet cert works locally. The purpose of "puppet certificate" is to work remotely. But without a clean option is not very useful. > This command is usually used to get rid of old certificates. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/3A92754E-9D15-44E8-874D-3DD3CD4CC9A6%40orange.fr. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet certificate
Hi Fabrice, > On 05 Apr 2017, at 17:02, Fabrice Bacchella> wrote: > > One more problem, since puppet certificate --ca-location remote destroy does > nothing, what is the whole point of puppet certificate ? A puppet generate > for the same host fails because it already exist, So I can't use it to > remotely manage the puppet's PKI. It undermine the whole point of the command. Have you tried puppet cert clean ? This command is usually used to get rid of old certificates. > > > >> Le 5 avr. 2017 à 15:58, Fabrice Bacchella a >> écrit : >> >> I'm playing with the "puppet certificate" command. >> >> But when I run "puppet certificate --ca-location remote list" >> >> I see in the log: >> >> 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET >> /puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request >> HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38 >> >> certificate_statuss ? Really ? >> >> Because meanwhile, "puppet certificate --ca-location remote sign webtester" >> generated: >> 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT >> /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" >> 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467 >> >> That's better I think. >> >> And "puppet certificate --ca-location remote destroy webtester" >> >> generated >> 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE >> /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 >> 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15 >> >> I'm surprise similar command talks to different URL. It's not easy to track >> them in auth.conf. >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to puppet-users+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr. >> For more options, visit https://groups.google.com/d/optout. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/1C3F185C-1387-4C98-B4F2-6157B73E244B%40orange.fr. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/E9BDC0B5-B92D-46C0-9617-42A7D83B4200%40gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet certificate
One more problem, since puppet certificate --ca-location remote destroy does nothing, what is the whole point of puppet certificate ? A puppet generate for the same host fails because it already exist, So I can't use it to remotely manage the puppet's PKI. It undermine the whole point of the command. > Le 5 avr. 2017 à 15:58, Fabrice Bacchellaa > écrit : > > I'm playing with the "puppet certificate" command. > > But when I run "puppet certificate --ca-location remote list" > > I see in the log: > > 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET > /puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request > HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38 > > certificate_statuss ? Really ? > > Because meanwhile, "puppet certificate --ca-location remote sign webtester" > generated: > 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT > /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" > 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467 > > That's better I think. > > And "puppet certificate --ca-location remote destroy webtester" > > generated > 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE > /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 > "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15 > > I'm surprise similar command talks to different URL. It's not easy to track > them in auth.conf. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1C3F185C-1387-4C98-B4F2-6157B73E244B%40orange.fr. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet certificate
I'm playing with the "puppet certificate" command. But when I run "puppet certificate --ca-location remote list" I see in the log: 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET /puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38 certificate_statuss ? Really ? Because meanwhile, "puppet certificate --ca-location remote sign webtester" generated: 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467 That's better I think. And "puppet certificate --ca-location remote destroy webtester" generated 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15 I'm surprise similar command talks to different URL. It's not easy to track them in auth.conf. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet certificate generate without host csr
Per the mcollective deploy docs, I'm trying to use 'puppet certificate generate' to send a csr for one user. Puppet tries to generate a csr for the host as well as the user. There are tickets. https://tickets.puppetlabs.com/browse/PUP-2018 https://tickets.puppetlabs.com/browse/PUP-3178 Has anybody managed to work around this with the command line tools? I could probably manually copy the csr around and have it work but I would prefer something a bit more automated. More details, same as tickets (xarg is the fake username in question, same result if I use $USER): $ puppet certificate generate --ssldir .n --ca-location remote --ca_server puppetmaster1.mycompany.com xarg Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 01:0A:B5:D7:88:B2:81:A0:49:66:29:DC:1C:50:61:86:FA:28:A9:48:0B:87:84:E1:9A:5D:B1:1C:A1:CF:58:55 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean myhost.mycompany.com On the agent: rm -f /home/cwood/.n/certs/myhost.mycompany.com.pem puppet agent -t Error: Try 'puppet help certificate generate' for usage $ find .n -type f | sort .n/certs/ca.pem .n/certs/myhost.mycompany.com.pem .n/private_keys/myhost.mycompany.com.pem .n/private_keys/xarg.pem .n/public_keys/myhost.mycompany.com.pem .n/public_keys/xarg.pem The command line probably worked for the author of this document, and the prompt indicates a non-root user: https://docs.puppetlabs.com/mcollective/deploy/standard.html#example-client-onboarding-process I tried the node* parameters here, but they didn't change the result: https://docs.puppetlabs.com/references/stable/configuration.html -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/20140924151055.GA28345%40iniquitous.heresiarch.ca. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet certificate expiry time period
Hi, took me some digging as well, but apparently this is handled by the somewhat obscure option 'ca_ttl': http://docs.puppetlabs.com/references/latest/configuration.html#cattl HTH, Felix On 05/24/2014 05:22 PM, Ankit Mittal wrote: Dear All, I am using puppet on around 70 nodes , but after some time in few nodes certificate expired. so i have to run agent on node a raise new certificate request for that. Please let me know if there is any expiry time period for certification. Thanks Ankit Mittal -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53846DE5.7020800%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet certificate expiry time period
Dear All, I am using puppet on around 70 nodes , but after some time in few nodes certificate expired. so i have to run agent on node a raise new certificate request for that. Please let me know if there is any expiry time period for certification. Thanks Ankit Mittal -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/290cfa5a-f37a-47cf-a90e-b0fc79a26049%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] puppet certificate generate fails for mcollective client
Following the mcollective documentation [1] for adding clients to execute mco commands when using SSL I am getting an error executing the 'puppet certificate generate' command as my user account. I feel like I'm missing something very obvious here. $ puppet certificate generate treydock --ssldir ~/.mcollective.d/credentials --ca-location remote --ca_server puppet.DOMAIN Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: E3:EA:FA:AD:68:53:D8:AF:DB:63:C9:2A:89:CC:68:AA:4F:B2:35:F6:9F:8C:E0:3C:3F:56:D5:1F:41:45:0D:53 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean login3.DOMAIN On the agent: rm -f /home/treydock/.mcollective.d/credentials/certs/login3.DOMAIN.pem puppet agent -t Error: Try 'puppet help certificate generate' for usage This happens from all my systems. The host 'login3' puppet.conf (comments removed): $ cat /etc/puppet/puppet.conf [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 } autosign = $confdir/autosign.conf { mode = 664 } [agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig default_schedules = false report= true pluginsync= true masterport= 8140 environment = production certname = login3.brazos.tamu.edu server= puppet.brazos.tamu.edu listen= false splay = false runinterval = 3600 noop = true show_diff = true configtimeout = 120 Thanks - Trey [1] - http://docs.puppetlabs.com/mcollective/deploy/standard.html#managing-client-credentials -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/a31a3ff6-4907-4fd4-a496-b03869e8a151%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet certificate confusion
I agree - lots of stuff and it's a little hard to find one's way around. I believe what you're looking for is this little paragraph: http://docs.puppetlabs.com/guides/installation.html#sign-node-certificates HTH, Felix On 01/13/2014 01:28 PM, Fabrice Bacchella wrote: When I look at http://docs.puppetlabs.com/puppet/, or http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I don't see a lot of informations. The section “SSL and Certificates” don't provides any basic information and only talk about some specific case. Can someone show me some up-to-date documentation about that ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52D5783C.7090109%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] puppet certificate confusion
Le 14 janv. 2014 à 18:47, Felix Frank felix.fr...@alumni.tu-berlin.de a écrit : I agree - lots of stuff and it's a little hard to find one's way around. I believe what you're looking for is this little paragraph: http://docs.puppetlabs.com/guides/installation.html#sign-node-certificates I know and use that. But are all the other commands for ? Is there any specification somewhere for the content of the ssl directory ? HTH, Felix On 01/13/2014 01:28 PM, Fabrice Bacchella wrote: When I look at http://docs.puppetlabs.com/puppet/, or http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I don't see a lot of informations. The section “SSL and Certificates” don't provides any basic information and only talk about some specific case. Can someone show me some up-to-date documentation about that ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52D5783C.7090109%40alumni.tu-berlin.de. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5CAF47AF-A34F-4E5B-8F31-BE6498E42956%40spamcop.net. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] puppet certificate confusion
I'm very confused about puppet certificate and ca management. There is many puppet command to do the work : caLocal Puppet Certificate Authority management. cert Manage certificates and requests certificate Provide access to the CA for certificate management. certificate_request Manage certificate requests. certificate_revocation_list Manage the list of revoked certificates. Why so many ? And worse : USAGE: puppet ca action This provides local management of the Puppet Certificate Authority. OPTIONS: --render-as FORMAT - The rendering format to use. --verbose - Whether to log verbosely. --debug- Whether to log debug information. ACTIONS: destroyundocumented action fingerprintundocumented action generate undocumented action list List certificates and/or certificate requests. print undocumented action revoke undocumented action sign undocumented action verify undocumented action There is a lot of old and deprecated informations in the web, many talking about puppetca which is dead. When I look at http://docs.puppetlabs.com/puppet/, or http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I don't see a lot of informations. The section “SSL and Certificates” don't provides any basic information and only talk about some specific case. Can someone show me some up-to-date documentation about that ? -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/91EFB0C9-5525-4274-9595-75A62197D73E%40spamcop.net. For more options, visit https://groups.google.com/groups/opt_out.
[Puppet Users] Puppet certificate
I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet certificate
When I did this in my test environment I removed the entire contents of the ssldir from the client to make sure that both the client server cert were pulled down anew. On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote: I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet certificate
I've done that... I've checked the ntpd services and they're sync in time... Here is what I've done, On master: rm -rf ssl /etc/rc.d/init.d/puppetmaster start Starting puppetmaster: [ OK ] ls ssl ca certificate_requests certs crl.pem private private_keys public_keys On client: rm -rf ssl puppetd --server=puppet.lagged.com --test info: Creating a new SSL key for w0f.lagged.com warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for w0f.lagged.com warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled On Master: puppetca --list w0f.lagged.com puppetca --sign w0f.lagged.com notice: Signed certificate request for w0f.lagged.com notice: Removing file Puppet::SSL::CertificateRequest w0f.lagged.com at '/var/lib/puppet/ssl/ca/requests/w0f.lagged.com.pem' On client: puppetd -t warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://w0f.lagged.com/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run Any suggestions? On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote: When I did this in my test environment I removed the entire contents of the ssldir from the client to make sure that both the client server cert were pulled down anew. On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote: I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet certificate
I'm curious... the server FQDN is puppetmaster.lagged.com but I have the server as puppet.lagged.com, can that be the cause of the problem? If so how would I create the certificate to be valid for puppet.lagged.com and not be puppetmaster.lagged.com On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote: When I did this in my test environment I removed the entire contents of the ssldir from the client to make sure that both the client server cert were pulled down anew. On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote: I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet certificate
What version of Puppet are you using? The old method of doing this had a serious security problem, so the newer releases have a different config method for assigning the acceptable aliases for a cert. On Wed, Nov 2, 2011 at 11:26 AM, TFML mailingl...@theflux.net wrote: I'm curious... the server FQDN is puppetmaster.lagged.com but I have the server as puppet.lagged.com, can that be the cause of the problem? If so how would I create the certificate to be valid for puppet.lagged.com and not be puppetmaster.lagged.com On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote: When I did this in my test environment I removed the entire contents of the ssldir from the client to make sure that both the client server cert were pulled down anew. On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote: I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] Puppet certificate
I was able to resolve my own issue. It ended up being the SSL certificate, I had to recreate one manually on the master server. Thanks! On Nov 2, 2011, at 2:50 PM, Aaron Grewell wrote: What version of Puppet are you using? The old method of doing this had a serious security problem, so the newer releases have a different config method for assigning the acceptable aliases for a cert. On Wed, Nov 2, 2011 at 11:26 AM, TFML mailingl...@theflux.net wrote: I'm curious... the server FQDN is puppetmaster.lagged.com but I have the server as puppet.lagged.com, can that be the cause of the problem? If so how would I create the certificate to be valid for puppet.lagged.com and not be puppetmaster.lagged.com On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote: When I did this in my test environment I removed the entire contents of the ssldir from the client to make sure that both the client server cert were pulled down anew. On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote: I'm running in circles with this issue... I accidentally did a 'puppetca --clean --all' and lost all certificates. I was able to get the puppetmaster running and re-created certificates for the client system, but I get the following error: warning: peer certificate won't be verified in this SSL session info: Caching certificate for w0f.lagged.com info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet.lagged.com/plugins: certificate verify failed info: Loading facts in snmpd info: Loading facts in diskdrives info: Loading facts in snmpd info: Loading facts in diskdrives err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Certificate problems, solved
I kept getting the hostname not match error:- err: Could not retrieve catalog from remote server: hostname not match with the server certificate I found lots of references which suggested the problem could be to do with the mismatch of hostnames, because the puppet master and puppet client are on completely different domains. http://groups.google.com/group/puppet-users/browse_thread/thread/6a3c3dbe91a72c86/48164bdd904f05a1?lnk=gstq=Re%3A+[Puppet+Users]+Hostname+was+not+a+match+with+the+server+certificate+--+Arrgh!+# suggested I needed puppet.domain DNS entries in the server, certificate, so I tried re-generating the server certificate with certdnsname=puppet.toycollector.com:puppet.themartingale.com but I still I got the same error on the client I finally solved the problem. I was identifying the server, to the client using --fqdn=client name.client domain --server=ip, and thinking the problem was to do with the cert not being identified as puppet.client domain. The client FQDN is irrelevant, and the problem was the --server=ip statment. Whatever you use in the --server=server statement, be it DNSname or IP, it has to be listed in the server's certificate, so if you intend to use --server=ip then you need to add that ip to the certdnsname parameter. Hopefully this will save someone the time I spent working it out. Simon -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet certificate request error
HI, Thanks a lot . I followed your steps and revoke the cert for the client . now its working fine . Thanks a lot . Regards K.KarthiKeyan On Sun, Mar 27, 2011 at 5:04 AM, Denmat tu2bg...@gmail.com wrote: Hi, Okay, start again then (assuming you are still testing out puppet). Remove the puppet 'ssl' directory contents on the server and the client. Check your host clocks are in sync. Start the puppetmaster on the server with --no-daemonize --verbose That will generate the CA again for the server. On the client issue the following: puppetd --verbose --waitforcert 60 --server puppet.domain --noop If this still fails check the certname you are using in your certificates. openssl s_client -connect puppet:8140 Check the subject name is the same as the one you expect. You can specify the certname in your puppet client config. Cheers, On 26/03/2011, at 23:43, KarthiKeyan. Kesavan ksd@gmail.com ksd@gmail.com wrote: hi, Thanks for your update . Server name is puppet and client name is client . I can do the telnet for server 8140 . even if i am using --waitforcert option i did nt get newly . Please share your suggestions . Cheers K.KarthiKeyan Hi, Verify that the server name you are using is correct (is it 'puppet' or 'puppetmaster'?). Use the --waitforcert option when first signing. Verify that puppetmaster is running on the server. Verify that you can access port 8140 on the server from the client. Cheers, On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.comksd@gmail.com ksd@gmail.com wrote: Dear ALL. I am trying to generate the ca for my puppet client . But it showing the following error puppetd --server puppet --test --debug --no-daemonize warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 400 on SERVER: undefined method `info' for nil:NilClass Exiting; failed to retrieve certificate and waitforcert is disabled puppetmaster FQDN checks is fine for puppetmaster and client . pinging perfectly. Please guide me to fix this problem . Regards CheBrian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.compuppet-users@googlegroups.com puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users%2bunsubscr...@googlegroups.compuppet-users+unsubscr...@googlegroups.com puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=enhttp://groups.google.com/group/puppet-users?hl=en http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.compuppet-users@googlegroups.com puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users%2bunsubscr...@googlegroups.compuppet-users+unsubscr...@googlegroups.com puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=enhttp://groups.google.com/group/puppet-users?hl=en http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet certificate request error
hi, Thanks for your update . Server name is puppet and client name is client . I can do the telnet for server 8140 . even if i am using --waitforcert option i did nt get newly . Please share your suggestions . Cheers K.KarthiKeyan Hi, Verify that the server name you are using is correct (is it 'puppet' or 'puppetmaster'?). Use the --waitforcert option when first signing. Verify that puppetmaster is running on the server. Verify that you can access port 8140 on the server from the client. Cheers, On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote: Dear ALL. I am trying to generate the ca for my puppet client . But it showing the following error puppetd --server puppet --test --debug --no-daemonize warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 400 on SERVER: undefined method `info' for nil:NilClass Exiting; failed to retrieve certificate and waitforcert is disabled puppetmaster FQDN checks is fine for puppetmaster and client . pinging perfectly. Please guide me to fix this problem . Regards CheBrian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet certificate request error
Hi, Okay, start again then (assuming you are still testing out puppet). Remove the puppet 'ssl' directory contents on the server and the client. Check your host clocks are in sync. Start the puppetmaster on the server with --no-daemonize --verbose That will generate the CA again for the server. On the client issue the following: puppetd --verbose --waitforcert 60 --server puppet.domain --noop If this still fails check the certname you are using in your certificates. openssl s_client -connect puppet:8140 Check the subject name is the same as the one you expect. You can specify the certname in your puppet client config. Cheers, On 26/03/2011, at 23:43, KarthiKeyan. Kesavan ksd@gmail.com wrote: hi, Thanks for your update . Server name is puppet and client name is client . I can do the telnet for server 8140 . even if i am using --waitforcert option i did nt get newly . Please share your suggestions . Cheers K.KarthiKeyan Hi, Verify that the server name you are using is correct (is it 'puppet' or 'puppetmaster'?). Use the --waitforcert option when first signing. Verify that puppetmaster is running on the server. Verify that you can access port 8140 on the server from the client. Cheers, On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote: Dear ALL. I am trying to generate the ca for my puppet client . But it showing the following error puppetd --server puppet --test --debug --no-daemonize warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 400 on SERVER: undefined method `info' for nil:NilClass Exiting; failed to retrieve certificate and waitforcert is disabled puppetmaster FQDN checks is fine for puppetmaster and client . pinging perfectly. Please guide me to fix this problem . Regards CheBrian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet certificate request error
Dear ALL. I am trying to generate the ca for my puppet client . But it showing the following error puppetd --server puppet --test --debug --no-daemonize warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 400 on SERVER: undefined method `info' for nil:NilClass Exiting; failed to retrieve certificate and waitforcert is disabled puppetmaster FQDN checks is fine for puppetmaster and client . pinging perfectly. Please guide me to fix this problem . Regards CheBrian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Re: [Puppet Users] puppet certificate request error
Hi, Verify that the server name you are using is correct (is it 'puppet' or 'puppetmaster'?). Use the --waitforcert option when first signing. Verify that puppetmaster is running on the server. Verify that you can access port 8140 on the server from the client. Cheers, On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote: Dear ALL. I am trying to generate the ca for my puppet client . But it showing the following error puppetd --server puppet --test --debug --no-daemonize warning: peer certificate won't be verified in this SSL session err: Could not request certificate: Error 400 on SERVER: undefined method `info' for nil:NilClass Exiting; failed to retrieve certificate and waitforcert is disabled puppetmaster FQDN checks is fine for puppetmaster and client . pinging perfectly. Please guide me to fix this problem . Regards CheBrian -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] Puppet Certificate verify failed
Hello, I am trying to configure a new puppet server on Debian Squeeze, so the server version will be 2.6.2-4. I am trying to configure a client running Lenny, the puppet version is 0.25.4-2 I declare the new client with the command : #puppetd --server puppet.domain.tld --waitforcert 60 --test on the server : #puppetca --sign client.domain.tld When the client finish to execute the first command I have the following output : * info: Caching certificate for host.domain.tld info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: Could not retrieve information from source(s) puppet://puppet.domain.tld/plugins info: Caching catalog for host.domain.tld info: Applying configuration version '1299765672' info: Creating state file /var/lib/puppet/state/state.yaml notice: Finished catalog run in 0.01 seconds * Then if I run on the client : # puppetd -vt I get a certificate error : * info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run I read some post about such error, date is sync between the server and client (using the same ntp server). Any help appreciated ! Hugo -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
[Puppet Users] puppet certificate problems
i have puppet distributed site: [*] separate puppet-ca, [*] puppet-master rules distribution point, [*] puppet-master file-server [*] puppet reports and noticed the following : 1. client does not re-requests new certificate on certificate revocation\expiration 2. puppetmaster on rules distrubution point does not recognize client's revoked certificate until puppetmaster is restarted (CRL is syncronized) i want the puppetd do following: 1) client generation new CSR on certificate expiration\revokation (optionally by config file) including new key pair 2) client autocleaning\moving expired\revoked certificates (including keys) to revoked folder on the client 3) client automatic re-requesting new certificate from puppet- CA on certificate revocation\expiration (optionally by config file option) is there any version supports these features? i'm currently running puppet version 0.24.4 -- You received this message because you are subscribed to the Google Groups Puppet Users group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.