[Puppet Users] Puppet Certificate Issues

[Rohit]

 Hello, we currently have a puppet docker container setup and are 
experiencing certificate issues. Basically, in our docker setup (on our 
main server) I had generated and signed new certificates, but the puppet_db 
container keeps restarting. Here are logs from the puppet_db container:

‘Error: Could not retrieve catalog from remote server: SSL_connect 
returned=1 errno=0 state=error: certificate verify failed: [unable to get 
local issuer certificate for /CN=our.puppet.domain]
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 
state=error: certificate verify failed: [unable to get local issuer 
certificate for /CN=our.puppet.domain]’

I have tried series of steps to solve this problem as it looks like Puppet 
is not functioning correctly as our servers are not properly listening to 
the host server. Any idea what I can do to solve this problem? For 
reference, we are running Puppet_DB version 4.2 and Puppet Server version 
2.7.2, all of which is set up on a docker container environment on one 
server.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/66479e42-5d70-41b0-a0d9-0774e273fdab%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet certificate

[Fabrice Bacchella]

> Le 10 avr. 2017 à 19:13, Martin Alfke  a écrit :
> 
> Hi Fabrice,
> 
>> On 05 Apr 2017, at 17:02, Fabrice Bacchella  
>> wrote:
>> 
>> One more problem, since puppet certificate --ca-location remote destroy does 
>> nothing, what is the whole point of puppet certificate ? A puppet generate 
>> for the same host fails because it already exist, So I can't use it to 
>> remotely manage the puppet's PKI. It undermine the whole point of the 
>> command.
> 
> Have you tried puppet cert clean  ?

puppet cert works locally. The purpose of "puppet certificate" is to work 
remotely. But without a clean option is not very useful.

> This command is usually used to get rid of old certificates.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/3A92754E-9D15-44E8-874D-3DD3CD4CC9A6%40orange.fr.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet certificate

[Martin Alfke]

Hi Fabrice,

> On 05 Apr 2017, at 17:02, Fabrice Bacchella  
> wrote:
> 
> One more problem, since puppet certificate --ca-location remote destroy does 
> nothing, what is the whole point of puppet certificate ? A puppet generate 
> for the same host fails because it already exist, So I can't use it to 
> remotely manage the puppet's PKI. It undermine the whole point of the command.

Have you tried puppet cert clean  ?
This command is usually used to get rid of old certificates.

> 
> 
> 
>> Le 5 avr. 2017 à 15:58, Fabrice Bacchella  a 
>> écrit :
>> 
>> I'm playing with the "puppet certificate" command.
>> 
>> But when I run "puppet certificate --ca-location remote list"
>> 
>> I see in the log:
>> 
>> 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET 
>> /puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request
>>  HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38
>> 
>> certificate_statuss ? Really ? 
>> 
>> Because meanwhile, "puppet certificate --ca-location remote sign webtester" 
>> generated:
>> 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT 
>> /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 
>> 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467
>> 
>> That's better I think.
>> 
>> And "puppet certificate --ca-location remote destroy webtester"
>> 
>> generated
>> 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE 
>> /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 
>> 112 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15
>> 
>> I'm surprise similar command talks to different URL. It's not easy to track 
>> them in auth.conf.
>> 
>> 
>> -- 
>> You received this message because you are subscribed to the Google Groups 
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an 
>> email to puppet-users+unsubscr...@googlegroups.com.
>> To view this discussion on the web visit 
>> https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
>> For more options, visit https://groups.google.com/d/optout.
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/1C3F185C-1387-4C98-B4F2-6157B73E244B%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/E9BDC0B5-B92D-46C0-9617-42A7D83B4200%40gmail.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet certificate

[Fabrice Bacchella]

One more problem, since puppet certificate --ca-location remote destroy does 
nothing, what is the whole point of puppet certificate ? A puppet generate for 
the same host fails because it already exist, So I can't use it to remotely 
manage the puppet's PKI. It undermine the whole point of the command.



> Le 5 avr. 2017 à 15:58, Fabrice Bacchella  a 
> écrit :
> 
> I'm playing with the "puppet certificate" command.
> 
> But when I run "puppet certificate --ca-location remote list"
> 
> I see in the log:
> 
> 10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET 
> /puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request
>  HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38
> 
> certificate_statuss ? Really ? 
> 
> Because meanwhile, "puppet certificate --ca-location remote sign webtester" 
> generated:
> 10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT 
> /puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 
> 204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467
> 
> That's better I think.
> 
> And "puppet certificate --ca-location remote destroy webtester"
> 
> generated
> 10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE 
> /puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 
> "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15
> 
> I'm surprise similar command talks to different URL. It's not easy to track 
> them in auth.conf.
> 
> 
> -- 
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an 
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit 
> https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
> For more options, visit https://groups.google.com/d/optout.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1C3F185C-1387-4C98-B4F2-6157B73E244B%40orange.fr.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet certificate

[Fabrice Bacchella]

I'm playing with the "puppet certificate" command.

But when I run "puppet certificate --ca-location remote list"

I see in the log:

10.83.16.17 - - [05/Apr/2017:15:52:46 +0200] "GET 
/puppet-ca/v1/certificate_statuss/*?environment=production=certificate_request
 HTTP/1.1" 404 9 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 38

certificate_statuss ? Really ? 

Because meanwhile, "puppet certificate --ca-location remote sign webtester" 
generated:
10.83.16.17 - - [05/Apr/2017:15:51:47 +0200] "PUT 
/puppet-ca/v1/certificate_status/webtester?environment=production& HTTP/1.1" 
204 0 "-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 467

That's better I think.

And "puppet certificate --ca-location remote destroy webtester"

generated
10.83.16.17 - - [05/Apr/2017:15:56:32 +0200] "DELETE 
/puppet-ca/v1/certificate/webtester?environment=production& HTTP/1.1" 403 112 
"-" "Puppet/4.9.4 Ruby/2.1.9-p490 (x86_64-linux)" 15

I'm surprise similar command talks to different URL. It's not easy to track 
them in auth.conf.

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/1B695C3B-2DE2-464B-A344-A069065D212E%40orange.fr.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet certificate generate without host csr

[Christopher Wood]

Per the mcollective deploy docs, I'm trying to use 'puppet certificate 
generate' to send a csr for one user. Puppet tries to generate a csr for the 
host as well as the user. There are tickets.

https://tickets.puppetlabs.com/browse/PUP-2018
https://tickets.puppetlabs.com/browse/PUP-3178

Has anybody managed to work around this with the command line tools? I could 
probably manually copy the csr around and have it work but I would prefer 
something a bit more automated.

More details, same as tickets (xarg is the fake username in question, same 
result if I use $USER):

$ puppet certificate generate --ssldir .n --ca-location remote --ca_server 
puppetmaster1.mycompany.com xarg
Error: The certificate retrieved from the master does not match the agent's 
private key.
Certificate fingerprint: 
01:0A:B5:D7:88:B2:81:A0:49:66:29:DC:1C:50:61:86:FA:28:A9:48:0B:87:84:E1:9A:5D:B1:1C:A1:CF:58:55
To fix this, remove the certificate from both the master and the agent and then 
start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean myhost.mycompany.com
On the agent:
  rm -f /home/cwood/.n/certs/myhost.mycompany.com.pem
  puppet agent -t

Error: Try 'puppet help certificate generate' for usage


$ find .n -type f | sort
.n/certs/ca.pem
.n/certs/myhost.mycompany.com.pem
.n/private_keys/myhost.mycompany.com.pem
.n/private_keys/xarg.pem
.n/public_keys/myhost.mycompany.com.pem
.n/public_keys/xarg.pem


The command line probably worked for the author of this document, and the 
prompt indicates a non-root user:

https://docs.puppetlabs.com/mcollective/deploy/standard.html#example-client-onboarding-process


I tried the node* parameters here, but they didn't change the result:

https://docs.puppetlabs.com/references/stable/configuration.html

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/20140924151055.GA28345%40iniquitous.heresiarch.ca.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet certificate expiry time period

[Felix Frank]

Hi,

took me some digging as well, but apparently this is handled by the
somewhat obscure option 'ca_ttl':

http://docs.puppetlabs.com/references/latest/configuration.html#cattl

HTH,
Felix

On 05/24/2014 05:22 PM, Ankit Mittal wrote:
 Dear All,
 
 I am using puppet on around 70 nodes , but after some time in few nodes
 certificate expired. so i have to run agent on node a raise new
 certificate request for that.
 
 Please let me know if there is any expiry time period for certification.
 
 Thanks
 Ankit Mittal

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/53846DE5.7020800%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet certificate expiry time period

[Ankit Mittal]

Dear All,

I am using puppet on around 70 nodes , but after some time in few nodes 
certificate expired. so i have to run agent on node a raise new certificate 
request for that.

Please let me know if there is any expiry time period for certification.

Thanks
Ankit Mittal

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/290cfa5a-f37a-47cf-a90e-b0fc79a26049%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Puppet Users] puppet certificate generate fails for mcollective client

[treydock]

Following the mcollective documentation [1] for adding clients to execute 
mco commands when using SSL I am getting an error executing the 'puppet 
certificate generate' command as my user account.  I feel like I'm missing 
something very obvious here.

$ puppet certificate generate treydock --ssldir 
~/.mcollective.d/credentials --ca-location remote --ca_server 
puppet.DOMAIN
Error: The certificate retrieved from the master does not match the agent's 
private key.
Certificate fingerprint: 
E3:EA:FA:AD:68:53:D8:AF:DB:63:C9:2A:89:CC:68:AA:4F:B2:35:F6:9F:8C:E0:3C:3F:56:D5:1F:41:45:0D:53
To fix this, remove the certificate from both the master and the agent and 
then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean login3.DOMAIN
On the agent:
  rm -f /home/treydock/.mcollective.d/credentials/certs/login3.DOMAIN.pem
  puppet agent -t

Error: Try 'puppet help certificate generate' for usage

This happens from all my systems.

The host 'login3' puppet.conf (comments removed):

$ cat /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
autosign   = $confdir/autosign.conf { mode = 664 }

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
default_schedules = false

report= true
pluginsync= true
masterport= 8140
environment   = production
certname  = login3.brazos.tamu.edu
server= puppet.brazos.tamu.edu
listen= false
splay = false
runinterval   = 3600
noop  = true
show_diff = true
configtimeout = 120

Thanks
- Trey

[1] 
- 
http://docs.puppetlabs.com/mcollective/deploy/standard.html#managing-client-credentials

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/a31a3ff6-4907-4fd4-a496-b03869e8a151%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Re: [Puppet Users] puppet certificate confusion

[Felix Frank]

I agree - lots of stuff and it's a little hard to find one's way around.

I believe what you're looking for is this little paragraph:
http://docs.puppetlabs.com/guides/installation.html#sign-node-certificates

HTH,
Felix

On 01/13/2014 01:28 PM, Fabrice Bacchella wrote:
 When I look at http://docs.puppetlabs.com/puppet/, or 
 http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I don't 
 see a lot of informations. The section “SSL and Certificates” don't provides 
 any basic information and only talk about some specific case.
 
 Can someone show me some up-to-date documentation about that ?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/52D5783C.7090109%40alumni.tu-berlin.de.
For more options, visit https://groups.google.com/groups/opt_out.

Re: [Puppet Users] puppet certificate confusion

[Fabrice Bacchella]

Le 14 janv. 2014 à 18:47, Felix Frank felix.fr...@alumni.tu-berlin.de a écrit 
:

 I agree - lots of stuff and it's a little hard to find one's way around.
 
 I believe what you're looking for is this little paragraph:
 http://docs.puppetlabs.com/guides/installation.html#sign-node-certificates

I know and use that. But are all the other commands for ? Is there any 
specification somewhere for the content of the ssl directory ?

 
 HTH,
 Felix
 
 On 01/13/2014 01:28 PM, Fabrice Bacchella wrote:
 When I look at http://docs.puppetlabs.com/puppet/, or 
 http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I 
 don't see a lot of informations. The section “SSL and Certificates” don't 
 provides any basic information and only talk about some specific case.
 
 Can someone show me some up-to-date documentation about that ?
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To unsubscribe from this group and stop receiving emails from it, send an 
 email to puppet-users+unsubscr...@googlegroups.com.
 To view this discussion on the web visit 
 https://groups.google.com/d/msgid/puppet-users/52D5783C.7090109%40alumni.tu-berlin.de.
 For more options, visit https://groups.google.com/groups/opt_out.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/5CAF47AF-A34F-4E5B-8F31-BE6498E42956%40spamcop.net.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] puppet certificate confusion

[Fabrice Bacchella]

I'm very confused about puppet certificate and ca management.

There is many puppet command to do the work :

  caLocal Puppet Certificate Authority management.
  cert  Manage certificates and requests
  certificate   Provide access to the CA for certificate management.
  certificate_request  Manage certificate requests.
  certificate_revocation_list  Manage the list of revoked certificates.

Why so many ?

And worse :
USAGE: puppet ca action 

This provides local management of the Puppet Certificate Authority.

OPTIONS:
  --render-as FORMAT - The rendering format to use.
  --verbose  - Whether to log verbosely.
  --debug- Whether to log debug information.

ACTIONS:
  destroyundocumented action
  fingerprintundocumented action
  generate   undocumented action
  list   List certificates and/or certificate requests.
  print  undocumented action
  revoke undocumented action
  sign   undocumented action
  verify undocumented action

There is a lot of old and deprecated informations in the web, many talking 
about puppetca which is dead.

When I look at http://docs.puppetlabs.com/puppet/, or 
http://docs.puppetlabs.com/puppet/latest/reference/lang_summary.html, I don't 
see a lot of informations. The section “SSL and Certificates” don't provides 
any basic information and only talk about some specific case.

Can someone show me some up-to-date documentation about that ?

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/91EFB0C9-5525-4274-9595-75A62197D73E%40spamcop.net.
For more options, visit https://groups.google.com/groups/opt_out.

[Puppet Users] Puppet certificate

[TFML]

I'm running in circles with this issue... I accidentally did a 'puppetca 
--clean --all' and lost all certificates.  I was able to get the puppetmaster 
running and re-created certificates for the client system, but I get the 
following error:

warning: peer certificate won't be verified in this SSL session
info: Caching certificate for w0f.lagged.com
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 
'eval_generate': certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: 
certificate verify failed Could not retrieve file metadata for 
puppet://puppet.lagged.com/plugins: certificate verify failed
info: Loading facts in snmpd
info: Loading facts in diskdrives
info: Loading facts in snmpd
info: Loading facts in diskdrives
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet certificate

[Aaron Grewell]

When I did this in my test environment I removed the entire contents
of the ssldir from the client to make sure that both the client 
server cert were pulled down anew.

On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote:
 I'm running in circles with this issue... I accidentally did a 'puppetca 
 --clean --all' and lost all certificates.  I was able to get the puppetmaster 
 running and re-created certificates for the client system, but I get the 
 following error:

 warning: peer certificate won't be verified in this SSL session
 info: Caching certificate for w0f.lagged.com
 info: Retrieving plugin
 err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': certificate verify failed
 err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
 resource: certificate verify failed Could not retrieve file metadata for 
 puppet://puppet.lagged.com/plugins: certificate verify failed
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 err: Could not retrieve catalog from remote server: certificate verify failed
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet certificate

[TFML]

I've done that...  I've checked the ntpd services and they're sync in time...  
Here is what I've done,

On master:
rm -rf ssl
/etc/rc.d/init.d/puppetmaster start
Starting puppetmaster: [  OK  ]
ls ssl
ca  certificate_requests  certs  crl.pem  private  private_keys  public_keys

On client:
rm -rf ssl
puppetd --server=puppet.lagged.com --test
info: Creating a new SSL key for w0f.lagged.com
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
info: Creating a new SSL certificate request for w0f.lagged.com
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

On Master:
puppetca --list
w0f.lagged.com
puppetca --sign w0f.lagged.com
notice: Signed certificate request for w0f.lagged.com
notice: Removing file Puppet::SSL::CertificateRequest w0f.lagged.com at 
'/var/lib/puppet/ssl/ca/requests/w0f.lagged.com.pem'

On client:
puppetd -t
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for w0f.lagged.com
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 
'eval_generate': certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: 
certificate verify failed Could not retrieve file metadata for 
puppet://w0f.lagged.com/plugins: certificate verify failed
err: Could not retrieve catalog from remote server: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run

Any suggestions?

On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote:

 When I did this in my test environment I removed the entire contents
 of the ssldir from the client to make sure that both the client 
 server cert were pulled down anew.
 
 On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote:
 I'm running in circles with this issue... I accidentally did a 'puppetca 
 --clean --all' and lost all certificates.  I was able to get the 
 puppetmaster running and re-created certificates for the client system, but 
 I get the following error:
 
 warning: peer certificate won't be verified in this SSL session
 info: Caching certificate for w0f.lagged.com
 info: Retrieving plugin
 err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': certificate verify failed
 err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
 resource: certificate verify failed Could not retrieve file metadata for 
 puppet://puppet.lagged.com/plugins: certificate verify failed
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 err: Could not retrieve catalog from remote server: certificate verify failed
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet certificate

[TFML]

I'm curious... the server FQDN is puppetmaster.lagged.com but I have the server 
as puppet.lagged.com, can that be the cause of the problem?  If so how would I 
create the certificate to be valid for puppet.lagged.com and not be 
puppetmaster.lagged.com
On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote:

 When I did this in my test environment I removed the entire contents
 of the ssldir from the client to make sure that both the client 
 server cert were pulled down anew.
 
 On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote:
 I'm running in circles with this issue... I accidentally did a 'puppetca 
 --clean --all' and lost all certificates.  I was able to get the 
 puppetmaster running and re-created certificates for the client system, but 
 I get the following error:
 
 warning: peer certificate won't be verified in this SSL session
 info: Caching certificate for w0f.lagged.com
 info: Retrieving plugin
 err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': certificate verify failed
 err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
 resource: certificate verify failed Could not retrieve file metadata for 
 puppet://puppet.lagged.com/plugins: certificate verify failed
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 err: Could not retrieve catalog from remote server: certificate verify failed
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet certificate

[Aaron Grewell]

What version of Puppet are you using?  The old method of doing this
had a serious security problem, so the newer releases have a different
config method for assigning the acceptable aliases for a cert.

On Wed, Nov 2, 2011 at 11:26 AM, TFML mailingl...@theflux.net wrote:
 I'm curious... the server FQDN is puppetmaster.lagged.com but I have the 
 server as puppet.lagged.com, can that be the cause of the problem?  If so how 
 would I create the certificate to be valid for puppet.lagged.com and not be 
 puppetmaster.lagged.com
 On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote:

 When I did this in my test environment I removed the entire contents
 of the ssldir from the client to make sure that both the client 
 server cert were pulled down anew.

 On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote:
 I'm running in circles with this issue... I accidentally did a 'puppetca 
 --clean --all' and lost all certificates.  I was able to get the 
 puppetmaster running and re-created certificates for the client system, but 
 I get the following error:

 warning: peer certificate won't be verified in this SSL session
 info: Caching certificate for w0f.lagged.com
 info: Retrieving plugin
 err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': certificate verify failed
 err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
 resource: certificate verify failed Could not retrieve file metadata for 
 puppet://puppet.lagged.com/plugins: certificate verify failed
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 err: Could not retrieve catalog from remote server: certificate verify 
 failed
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run

 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.



 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.


 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] Puppet certificate

[TFML]

I was able to resolve my own issue.  It ended up being the SSL certificate, I 
had to recreate one manually on the master server.  Thanks!

On Nov 2, 2011, at 2:50 PM, Aaron Grewell wrote:

 What version of Puppet are you using?  The old method of doing this
 had a serious security problem, so the newer releases have a different
 config method for assigning the acceptable aliases for a cert.
 
 On Wed, Nov 2, 2011 at 11:26 AM, TFML mailingl...@theflux.net wrote:
 I'm curious... the server FQDN is puppetmaster.lagged.com but I have the 
 server as puppet.lagged.com, can that be the cause of the problem?  If so 
 how would I create the certificate to be valid for puppet.lagged.com and not 
 be puppetmaster.lagged.com
 On Nov 2, 2011, at 2:01 PM, Aaron Grewell wrote:
 
 When I did this in my test environment I removed the entire contents
 of the ssldir from the client to make sure that both the client 
 server cert were pulled down anew.
 
 On Wed, Nov 2, 2011 at 10:25 AM, TFML mailingl...@theflux.net wrote:
 I'm running in circles with this issue... I accidentally did a 'puppetca 
 --clean --all' and lost all certificates.  I was able to get the 
 puppetmaster running and re-created certificates for the client system, 
 but I get the following error:
 
 warning: peer certificate won't be verified in this SSL session
 info: Caching certificate for w0f.lagged.com
 info: Retrieving plugin
 err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
 using 'eval_generate': certificate verify failed
 err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of 
 resource: certificate verify failed Could not retrieve file metadata for 
 puppet://puppet.lagged.com/plugins: certificate verify failed
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 info: Loading facts in snmpd
 info: Loading facts in diskdrives
 err: Could not retrieve catalog from remote server: certificate verify 
 failed
 warning: Not using cache on failed catalog
 err: Could not retrieve catalog; skipping run
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Puppet Certificate problems, solved

[Simon Bazley]

I kept getting the hostname not match error:-

err: Could not retrieve catalog from remote server: hostname not match
with the server certificate

I found lots of references which suggested the problem could be to do
with the mismatch of hostnames, because the puppet master and puppet
client are on completely different domains.

http://groups.google.com/group/puppet-users/browse_thread/thread/6a3c3dbe91a72c86/48164bdd904f05a1?lnk=gstq=Re%3A+[Puppet+Users]+Hostname+was+not+a+match+with+the+server+certificate+--+Arrgh!+#

suggested I needed puppet.domain DNS entries in the server,
certificate, so I tried re-generating the server certificate with
certdnsname=puppet.toycollector.com:puppet.themartingale.com but I
still I got the same error on the client

I finally solved the problem.  I was identifying the server, to the
client using --fqdn=client name.client domain --server=ip, and
thinking the problem was to do with the cert not being identified as
puppet.client domain.

The client FQDN is irrelevant, and the problem was the --server=ip
statment.

Whatever you use in the --server=server statement, be it DNSname or
IP, it has to be listed in the server's certificate, so if you intend
to use --server=ip then you need to add that ip to the certdnsname
parameter.

Hopefully this will save someone the time I spent working it out.

Simon

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet certificate request error

[KarthiKeyan. Kesavan]

HI,

Thanks a lot .

I followed your steps and revoke the cert for the client . now its working
fine .

Thanks a lot .

Regards

K.KarthiKeyan

On Sun, Mar 27, 2011 at 5:04 AM, Denmat tu2bg...@gmail.com wrote:

 Hi,

 Okay, start again then (assuming you are still testing out puppet).

 Remove the puppet 'ssl' directory contents on the server and the client.
 Check your host clocks are in sync.
 Start the puppetmaster on the server with --no-daemonize --verbose

 That will generate the CA again for the server.

 On the client issue the following:
 puppetd --verbose --waitforcert 60 --server puppet.domain --noop

 If this still fails check the certname you are using in your certificates.

 openssl s_client -connect puppet:8140

 Check the subject name is the same as the one you expect. You can specify
 the certname in your puppet client config.

 Cheers,

 On 26/03/2011, at 23:43, KarthiKeyan. Kesavan  ksd@gmail.com
 ksd@gmail.com wrote:

 hi,

 Thanks for your update .

 Server name is puppet and client name is client .

 I can do the telnet for server 8140 . even if i am using --waitforcert
 option i did nt get newly .

 Please share your suggestions .

 Cheers

 K.KarthiKeyan



 Hi,

 Verify that the server name you are using is correct (is it 'puppet' or
 'puppetmaster'?). Use the --waitforcert option when first signing.

 Verify that puppetmaster is running on the server. Verify that you can
 access port 8140 on the server from the client.

 Cheers,

 On 25/03/2011, at 22:30, CHEBRIAN  ksd@gmail.comksd@gmail.com
 ksd@gmail.com wrote:

  Dear ALL.
 
  I am trying to generate the ca for my puppet client .
 
  But it showing the following error
 
  puppetd --server puppet --test --debug --no-daemonize
 
  warning: peer certificate won't be verified in this SSL session
  err: Could not request certificate: Error 400 on SERVER: undefined
  method `info' for nil:NilClass
  Exiting; failed to retrieve certificate and waitforcert is disabled
 
  puppetmaster
 
  FQDN checks is fine for puppetmaster and client .  pinging perfectly.
 
  Please guide me to fix this problem .
 
  Regards
  CheBrian
 
  --
  You received this message because you are subscribed to the Google
 Groups Puppet Users group.
  To post to this group, send email to 
  puppet-users@googlegroups.compuppet-users@googlegroups.com
 puppet-users@googlegroups.com.
  To unsubscribe from this group, send email to
 puppet-users%2bunsubscr...@googlegroups.compuppet-users+unsubscr...@googlegroups.com
 puppet-users+unsubscr...@googlegroups.com.
  For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=enhttp://groups.google.com/group/puppet-users?hl=en
 http://groups.google.com/group/puppet-users?hl=en.
 

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to 
 puppet-users@googlegroups.compuppet-users@googlegroups.com
 puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users%2bunsubscr...@googlegroups.compuppet-users+unsubscr...@googlegroups.com
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=enhttp://groups.google.com/group/puppet-users?hl=en
 http://groups.google.com/group/puppet-users?hl=en.


  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com
 puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en
 http://groups.google.com/group/puppet-users?hl=en.

  --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.


-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet certificate request error

[KarthiKeyan. Kesavan]

hi,

Thanks for your update .

Server name is puppet and client name is client .

I can do the telnet for server 8140 . even if i am using --waitforcert
option i did nt get newly .

Please share your suggestions .

Cheers

K.KarthiKeyan



Hi,

 Verify that the server name you are using is correct (is it 'puppet' or
 'puppetmaster'?). Use the --waitforcert option when first signing.

 Verify that puppetmaster is running on the server. Verify that you can
 access port 8140 on the server from the client.

 Cheers,

 On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote:

  Dear ALL.
 
  I am trying to generate the ca for my puppet client .
 
  But it showing the following error
 
  puppetd --server puppet --test --debug --no-daemonize
 
  warning: peer certificate won't be verified in this SSL session
  err: Could not request certificate: Error 400 on SERVER: undefined
  method `info' for nil:NilClass
  Exiting; failed to retrieve certificate and waitforcert is disabled
 
  puppetmaster
 
  FQDN checks is fine for puppetmaster and client .  pinging perfectly.
 
  Please guide me to fix this problem .
 
  Regards
  CheBrian
 
  --
  You received this message because you are subscribed to the Google Groups
 Puppet Users group.
  To post to this group, send email to puppet-users@googlegroups.com.
  To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
  For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.
 

 --
 You received this message because you are subscribed to the Google Groups
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at
 http://groups.google.com/group/puppet-users?hl=en.



-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet certificate request error

[Denmat]

Hi,

Okay, start again then (assuming you are still testing out puppet).

Remove the puppet 'ssl' directory contents on the server and the client. Check 
your host clocks are in sync.
Start the puppetmaster on the server with --no-daemonize --verbose

That will generate the CA again for the server.

On the client issue the following:
puppetd --verbose --waitforcert 60 --server puppet.domain --noop 

If this still fails check the certname you are using in your certificates. 

openssl s_client -connect puppet:8140 

Check the subject name is the same as the one you expect. You can specify the 
certname in your puppet client config.

Cheers,

On 26/03/2011, at 23:43, KarthiKeyan. Kesavan ksd@gmail.com wrote:

 hi, 
 
 Thanks for your update . 
 
 Server name is puppet and client name is client . 
 
 I can do the telnet for server 8140 . even if i am using --waitforcert option 
 i did nt get newly . 
 
 Please share your suggestions . 
 
 Cheers 
 
 K.KarthiKeyan 
 
 
 
 Hi,
 
 Verify that the server name you are using is correct (is it 'puppet' or 
 'puppetmaster'?). Use the --waitforcert option when first signing.
 
 Verify that puppetmaster is running on the server. Verify that you can access 
 port 8140 on the server from the client.
 
 Cheers,
 
 On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote:
 
  Dear ALL.
 
  I am trying to generate the ca for my puppet client .
 
  But it showing the following error
 
  puppetd --server puppet --test --debug --no-daemonize
 
  warning: peer certificate won't be verified in this SSL session
  err: Could not request certificate: Error 400 on SERVER: undefined
  method `info' for nil:NilClass
  Exiting; failed to retrieve certificate and waitforcert is disabled
 
  puppetmaster
 
  FQDN checks is fine for puppetmaster and client .  pinging perfectly.
 
  Please guide me to fix this problem .
 
  Regards
  CheBrian
 
  --
  You received this message because you are subscribed to the Google Groups 
  Puppet Users group.
  To post to this group, send email to puppet-users@googlegroups.com.
  To unsubscribe from this group, send email to 
  puppet-users+unsubscr...@googlegroups.com.
  For more options, visit this group at 
  http://groups.google.com/group/puppet-users?hl=en.
 
 
 --
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] puppet certificate request error

[CHEBRIAN]

Dear ALL.

I am trying to generate the ca for my puppet client .

But it showing the following error

puppetd --server puppet --test --debug --no-daemonize

warning: peer certificate won't be verified in this SSL session
err: Could not request certificate: Error 400 on SERVER: undefined
method `info' for nil:NilClass
Exiting; failed to retrieve certificate and waitforcert is disabled

puppetmaster

FQDN checks is fine for puppetmaster and client .  pinging perfectly.

Please guide me to fix this problem .

Regards
CheBrian

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Re: [Puppet Users] puppet certificate request error

[Denmat]

Hi,

Verify that the server name you are using is correct (is it 'puppet' or 
'puppetmaster'?). Use the --waitforcert option when first signing.

Verify that puppetmaster is running on the server. Verify that you can access 
port 8140 on the server from the client.

Cheers,

On 25/03/2011, at 22:30, CHEBRIAN ksd@gmail.com wrote:

 Dear ALL.
 
 I am trying to generate the ca for my puppet client .
 
 But it showing the following error
 
 puppetd --server puppet --test --debug --no-daemonize
 
 warning: peer certificate won't be verified in this SSL session
 err: Could not request certificate: Error 400 on SERVER: undefined
 method `info' for nil:NilClass
 Exiting; failed to retrieve certificate and waitforcert is disabled
 
 puppetmaster
 
 FQDN checks is fine for puppetmaster and client .  pinging perfectly.
 
 Please guide me to fix this problem .
 
 Regards
 CheBrian
 
 -- 
 You received this message because you are subscribed to the Google Groups 
 Puppet Users group.
 To post to this group, send email to puppet-users@googlegroups.com.
 To unsubscribe from this group, send email to 
 puppet-users+unsubscr...@googlegroups.com.
 For more options, visit this group at 
 http://groups.google.com/group/puppet-users?hl=en.
 

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] Puppet Certificate verify failed

[Hugo Deprez]

Hello,

I am trying to configure a new puppet server on Debian Squeeze, so the
server version will be 2.6.2-4.
I am trying to configure a client running Lenny, the puppet version is
0.25.4-2

I declare the new client with the command :

#puppetd --server puppet.domain.tld --waitforcert 60 --test

on the server :

#puppetca --sign client.domain.tld


When the client finish to execute the first command I have the following
output :


*
info: Caching certificate for host.domain.tld
info: Retrieving plugin
info: Caching certificate_revocation_list for ca
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: Could not retrieve information from source(s)
puppet://puppet.domain.tld/plugins
info: Caching catalog for host.domain.tld
info: Applying configuration version '1299765672'
info: Creating state file /var/lib/puppet/state/state.yaml
notice: Finished catalog run in 0.01 seconds
*

Then if I run on the client :

# puppetd -vt

I get a certificate error :

*
info: Retrieving plugin
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed
err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of
resource: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate
B: certificate verify failed Could not retrieve file metadata for
puppet://puppet/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read
server certificate B: certificate verify failed
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run



I read some post about such error, date is sync between the server and
client (using the same ntp server).

Any help appreciated !

Hugo

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

[Puppet Users] puppet certificate problems

[yurkao]

i have puppet distributed site:
 [*] separate puppet-ca,
 [*] puppet-master rules distribution point,
 [*] puppet-master file-server
 [*] puppet reports
and noticed the following :
1. client does not re-requests new certificate on certificate
revocation\expiration
2. puppetmaster on rules distrubution point does not recognize
client's revoked certificate until puppetmaster is restarted (CRL is
syncronized)

i want the puppetd do following:
1) client generation new CSR on certificate expiration\revokation
(optionally by config file) including new key pair
2) client autocleaning\moving expired\revoked certificates
(including keys) to revoked folder on the client
3) client automatic re-requesting new certificate from puppet-
CA on certificate revocation\expiration (optionally by config file
option)

is there any version supports these features? i'm currently running
puppet version 0.24.4

-- 
You received this message because you are subscribed to the Google Groups 
Puppet Users group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.