Re: [Puppet Users] puppet cert list yields no certs
On 02/07/2016 04:56 PM, Felix Frank wrote: Hi, is this issue still unresolved? Ah, ignore please - getting back in the game, getting used to Thunderbird (or Google Groups) breaking the threading on occasion :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/56B769CD.2090905%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hi, is this issue still unresolved? On 01/08/2016 12:41 AM, Matt Zagrabelny wrote: On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: Apparently I was a little too quick on the send button. :( To continue my previous email: Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/56B7693B.9090607%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)
On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny wrote: > On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: >> Apparently I was a little too quick on the send button. :( >> >> To continue my previous email: >> >> Does 'puppet cert list --all' show any certs at all? > > Yep: > > # puppet cert list --all > + "puppet-client-1.example.net" (SHA256) > A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 > + "puppet-3-7.example.net" (SHA256) > E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 > (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") > > I don't remember what I did to get the master to accept the CSR of > puppet-client-1 earlier, but I did have similar issues where I ran the > client and the master didn't show any unsigned certs when running > "puppet cert list". > > That was a few weeks ago. I'm just coming back to puppet 3.7 now. Regenerating the client cert and connecting to the master seems to get me one step further. client: find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete server: puppet cert clean puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug server: puppet cert list "puppet-client.example.net" (SHA256) E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB puppet cert sign puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug [...] Error: Could not request certificate: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-3-7.example.net] Exiting; failed to retrieve certificate and waitforcert is disabled Then performing the above steps, but clearing out all .pem files on the client seemed to fix the issue. Cheers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XrqYOYVQrizt-DddNR8ggtBp-fyqmc0N4XnH_DG2i3wQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: > Apparently I was a little too quick on the send button. :( > > To continue my previous email: > > Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WFFhbbZTGrwC1bLDYLtSYxTN3XwU-RTNPtAEAYz-7U7g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hey Peter,
On Thu, Jan 7, 2016 at 5:28 PM, Peter Kristolaitis wrote:
> 'puppet cert list' only shows unsigned certs.
>
> 'puppet cert list --all' will show all certs.
I failed to mention it explicitly:
The client does not have a signed cert. I'm try to get the master to
"accept" the CSR from the client.
-m
>
> On 1/7/2016 6:17 PM, Matt Zagrabelny wrote:
>>
>> Greetings,
>>
>> I am attempting to get a puppet 3.7 install off the ground. Please
>> don't ask me to upgrade to 4.X series. :)
>>
>> On the puppet master (puppet-3-7.example.net):
>> # puppet master --no-daemonize --debug
>> [...]
>> Info: Not Found: Could not find certificate puppet-client.example.net
>> Debug: Routes Registered:
>> Debug: Route /^\/v2\.0/
>> Debug: Route /.*/
>> Debug: Evaluating match for Route /^\/v2\.0/
>> Debug: Did not match path
>> ("/production/certificate/puppet-client.example.net")
>> Debug: Evaluating match for Route /.*/
>> Info: Not Found: Could not find certificate puppet-client.example.net
>>
>> On the puppet client:
>> # puppet agent -t --server puppet-3-7 --debug
>> [...]
>> Debug:
>> /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/private_keys]
>> Debug:
>> /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
>> Autorequiring File[/var/lib/puppet/ssl/public_keys]
>> Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
>> File[/var/lib/puppet/ssl/certs]
>> Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
>> Debug: Finishing transaction 10544780
>> Debug: Using cached certificate for ca
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate_request for puppet-client.example.net
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Debug: Using cached certificate for ca
>> Debug: Creating new connection for https://puppet-3-7:8140
>> Exiting; no certificate found and waitforcert is disabled
>>
>> Then on the master:
>> # puppet cert list
>> #
>>
>> I have a 2.7 puppet environment that works very well and I am well
>> accustomed to dealing with the certs.
>>
>> The auth.conf file looks okay, too:
>>
>> # allow nodes to request a new certificate
>> path /certificate_request
>> auth any
>> method find, save
>> allow *
>>
>> Can anyone help interpret the debug messages above? Or point me in the
>> correct direction?
>>
>> Thanks!
>>
>> -m
>>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca.
> For more options, visit https://groups.google.com/d/optout.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOLfK3W63er4xJMjhosc6z9fqJhcGTHoMJme%3DCM-4A5LekcrRg%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Apparently I was a little too quick on the send button. :(
To continue my previous email:
Does 'puppet cert list --all' show any certs at all?
From looking at your debug output, I suspect it won't show the client
cert you're looking for, but I just want to make sure.
On 1/7/2016 6:28 PM, Peter Kristolaitis wrote:
'puppet cert list' only shows unsigned certs.
'puppet cert list --all' will show all certs.
On 1/7/2016 6:17 PM, Matt Zagrabelny wrote:
Greetings,
I am attempting to get a puppet 3.7 install off the ground. Please
don't ask me to upgrade to 4.X series. :)
On the puppet master (puppet-3-7.example.net):
# puppet master --no-daemonize --debug
[...]
Info: Not Found: Could not find certificate puppet-client.example.net
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path
("/production/certificate/puppet-client.example.net")
Debug: Evaluating match for Route /.*/
Info: Not Found: Could not find certificate puppet-client.example.net
On the puppet client:
# puppet agent -t --server puppet-3-7 --debug
[...]
Debug:
/File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
Debug:
/File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
Debug: /File[/var/lib/puppet/facts.d]: Autorequiring
File[/var/lib/puppet]
Debug: Finishing transaction 10544780
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Exiting; no certificate found and waitforcert is disabled
Then on the master:
# puppet cert list
#
I have a 2.7 puppet environment that works very well and I am well
accustomed to dealing with the certs.
The auth.conf file looks okay, too:
# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
Can anyone help interpret the debug messages above? Or point me in the
correct direction?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/568EF62B.5020006%40alter3d.ca.
For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
'puppet cert list' only shows unsigned certs.
'puppet cert list --all' will show all certs.
On 1/7/2016 6:17 PM, Matt Zagrabelny wrote:
Greetings,
I am attempting to get a puppet 3.7 install off the ground. Please
don't ask me to upgrade to 4.X series. :)
On the puppet master (puppet-3-7.example.net):
# puppet master --no-daemonize --debug
[...]
Info: Not Found: Could not find certificate puppet-client.example.net
Debug: Routes Registered:
Debug: Route /^\/v2\.0/
Debug: Route /.*/
Debug: Evaluating match for Route /^\/v2\.0/
Debug: Did not match path ("/production/certificate/puppet-client.example.net")
Debug: Evaluating match for Route /.*/
Info: Not Found: Could not find certificate puppet-client.example.net
On the puppet client:
# puppet agent -t --server puppet-3-7 --debug
[...]
Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/private_keys]
Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]:
Autorequiring File[/var/lib/puppet/ssl/public_keys]
Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring
File[/var/lib/puppet/ssl/certs]
Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet]
Debug: Finishing transaction 10544780
Debug: Using cached certificate for ca
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate_request for puppet-client.example.net
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Debug: Using cached certificate for ca
Debug: Creating new connection for https://puppet-3-7:8140
Exiting; no certificate found and waitforcert is disabled
Then on the master:
# puppet cert list
#
I have a 2.7 puppet environment that works very well and I am well
accustomed to dealing with the certs.
The auth.conf file looks okay, too:
# allow nodes to request a new certificate
path /certificate_request
auth any
method find, save
allow *
Can anyone help interpret the debug messages above? Or point me in the
correct direction?
Thanks!
-m
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca.
For more options, visit https://groups.google.com/d/optout.
