Re: [Puppet Users] puppet cert list yields no certs
On 02/07/2016 04:56 PM, Felix Frank wrote: Hi, is this issue still unresolved? Ah, ignore please - getting back in the game, getting used to Thunderbird (or Google Groups) breaking the threading on occasion :) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/56B769CD.2090905%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hi, is this issue still unresolved? On 01/08/2016 12:41 AM, Matt Zagrabelny wrote: On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: Apparently I was a little too quick on the send button. :( To continue my previous email: Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/56B7693B.9090607%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs - SOLVED (sort of!)
On Thu, Jan 7, 2016 at 5:41 PM, Matt Zagrabelny wrote: > On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: >> Apparently I was a little too quick on the send button. :( >> >> To continue my previous email: >> >> Does 'puppet cert list --all' show any certs at all? > > Yep: > > # puppet cert list --all > + "puppet-client-1.example.net" (SHA256) > A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 > + "puppet-3-7.example.net" (SHA256) > E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 > (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") > > I don't remember what I did to get the master to accept the CSR of > puppet-client-1 earlier, but I did have similar issues where I ran the > client and the master didn't show any unsigned certs when running > "puppet cert list". > > That was a few weeks ago. I'm just coming back to puppet 3.7 now. Regenerating the client cert and connecting to the master seems to get me one step further. client: find /var/lib/puppet/ssl -name puppet-cliet.example.net.pem -delete server: puppet cert clean puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug server: puppet cert list "puppet-client.example.net" (SHA256) E9:D3:10:D4:A0:0D:C7:BC:1F:FA:70:3E:DD:35:35:6C:1C:5C:D0:48:61:96:25:2F:E7:D2:DA:8F:4E:3F:24:CB puppet cert sign puppet-client.example.net client: puppet agent -t --server puppet-3-7 --debug [...] Error: Could not request certificate: SSL_connect returned=1 errno=0 state=unknown state: certificate verify failed: [self signed certificate in certificate chain for /CN=Puppet CA: puppet-3-7.example.net] Exiting; failed to retrieve certificate and waitforcert is disabled Then performing the above steps, but clearing out all .pem files on the client seemed to fix the issue. Cheers! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3XrqYOYVQrizt-DddNR8ggtBp-fyqmc0N4XnH_DG2i3wQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
On Thu, Jan 7, 2016 at 5:35 PM, Peter Kristolaitis wrote: > Apparently I was a little too quick on the send button. :( > > To continue my previous email: > > Does 'puppet cert list --all' show any certs at all? Yep: # puppet cert list --all + "puppet-client-1.example.net" (SHA256) A3:73:DC:89:B2:13:D4:C5:7A:58:B9:EB:7E:6A:22:1C:36:97:BD:8F:4C:AD:18:39:2E:F8:10:2C:29:36:F6:82 + "puppet-3-7.example.net" (SHA256) E6:F6:7D:6C:D8:30:6C:AC:1E:B5:5D:29:E8:11:0C:CB:54:22:BA:B3:96:C1:E2:49:7A:48:CF:3E:F8:12:43:24 (alt names: "DNS:puppet-3-7", "DNS:puppet-3-7.example.net") I don't remember what I did to get the master to accept the CSR of puppet-client-1 earlier, but I did have similar issues where I ran the client and the master didn't show any unsigned certs when running "puppet cert list". That was a few weeks ago. I'm just coming back to puppet 3.7 now. -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3WFFhbbZTGrwC1bLDYLtSYxTN3XwU-RTNPtAEAYz-7U7g%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Hey Peter, On Thu, Jan 7, 2016 at 5:28 PM, Peter Kristolaitis wrote: > 'puppet cert list' only shows unsigned certs. > > 'puppet cert list --all' will show all certs. I failed to mention it explicitly: The client does not have a signed cert. I'm try to get the master to "accept" the CSR from the client. -m > > On 1/7/2016 6:17 PM, Matt Zagrabelny wrote: >> >> Greetings, >> >> I am attempting to get a puppet 3.7 install off the ground. Please >> don't ask me to upgrade to 4.X series. :) >> >> On the puppet master (puppet-3-7.example.net): >> # puppet master --no-daemonize --debug >> [...] >> Info: Not Found: Could not find certificate puppet-client.example.net >> Debug: Routes Registered: >> Debug: Route /^\/v2\.0/ >> Debug: Route /.*/ >> Debug: Evaluating match for Route /^\/v2\.0/ >> Debug: Did not match path >> ("/production/certificate/puppet-client.example.net") >> Debug: Evaluating match for Route /.*/ >> Info: Not Found: Could not find certificate puppet-client.example.net >> >> On the puppet client: >> # puppet agent -t --server puppet-3-7 --debug >> [...] >> Debug: >> /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]: >> Autorequiring File[/var/lib/puppet/ssl/private_keys] >> Debug: >> /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]: >> Autorequiring File[/var/lib/puppet/ssl/public_keys] >> Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring >> File[/var/lib/puppet/ssl/certs] >> Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet] >> Debug: Finishing transaction 10544780 >> Debug: Using cached certificate for ca >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate_request for puppet-client.example.net >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate_request for puppet-client.example.net >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Debug: Using cached certificate for ca >> Debug: Creating new connection for https://puppet-3-7:8140 >> Exiting; no certificate found and waitforcert is disabled >> >> Then on the master: >> # puppet cert list >> # >> >> I have a 2.7 puppet environment that works very well and I am well >> accustomed to dealing with the certs. >> >> The auth.conf file looks okay, too: >> >> # allow nodes to request a new certificate >> path /certificate_request >> auth any >> method find, save >> allow * >> >> Can anyone help interpret the debug messages above? Or point me in the >> correct direction? >> >> Thanks! >> >> -m >> > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca. > For more options, visit https://groups.google.com/d/optout. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAOLfK3W63er4xJMjhosc6z9fqJhcGTHoMJme%3DCM-4A5LekcrRg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
Apparently I was a little too quick on the send button. :( To continue my previous email: Does 'puppet cert list --all' show any certs at all? From looking at your debug output, I suspect it won't show the client cert you're looking for, but I just want to make sure. On 1/7/2016 6:28 PM, Peter Kristolaitis wrote: 'puppet cert list' only shows unsigned certs. 'puppet cert list --all' will show all certs. On 1/7/2016 6:17 PM, Matt Zagrabelny wrote: Greetings, I am attempting to get a puppet 3.7 install off the ground. Please don't ask me to upgrade to 4.X series. :) On the puppet master (puppet-3-7.example.net): # puppet master --no-daemonize --debug [...] Info: Not Found: Could not find certificate puppet-client.example.net Debug: Routes Registered: Debug: Route /^\/v2\.0/ Debug: Route /.*/ Debug: Evaluating match for Route /^\/v2\.0/ Debug: Did not match path ("/production/certificate/puppet-client.example.net") Debug: Evaluating match for Route /.*/ Info: Not Found: Could not find certificate puppet-client.example.net On the puppet client: # puppet agent -t --server puppet-3-7 --debug [...] Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet] Debug: Finishing transaction 10544780 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Exiting; no certificate found and waitforcert is disabled Then on the master: # puppet cert list # I have a 2.7 puppet environment that works very well and I am well accustomed to dealing with the certs. The auth.conf file looks okay, too: # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * Can anyone help interpret the debug messages above? Or point me in the correct direction? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/568EF62B.5020006%40alter3d.ca. For more options, visit https://groups.google.com/d/optout.
Re: [Puppet Users] puppet cert list yields no certs
'puppet cert list' only shows unsigned certs. 'puppet cert list --all' will show all certs. On 1/7/2016 6:17 PM, Matt Zagrabelny wrote: Greetings, I am attempting to get a puppet 3.7 install off the ground. Please don't ask me to upgrade to 4.X series. :) On the puppet master (puppet-3-7.example.net): # puppet master --no-daemonize --debug [...] Info: Not Found: Could not find certificate puppet-client.example.net Debug: Routes Registered: Debug: Route /^\/v2\.0/ Debug: Route /.*/ Debug: Evaluating match for Route /^\/v2\.0/ Debug: Did not match path ("/production/certificate/puppet-client.example.net") Debug: Evaluating match for Route /.*/ Info: Not Found: Could not find certificate puppet-client.example.net On the puppet client: # puppet agent -t --server puppet-3-7 --debug [...] Debug: /File[/var/lib/puppet/ssl/private_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/private_keys] Debug: /File[/var/lib/puppet/ssl/public_keys/puppet-client.example.net.pem]: Autorequiring File[/var/lib/puppet/ssl/public_keys] Debug: /File[/var/lib/puppet/ssl/certs/ca.pem]: Autorequiring File[/var/lib/puppet/ssl/certs] Debug: /File[/var/lib/puppet/facts.d]: Autorequiring File[/var/lib/puppet] Debug: Finishing transaction 10544780 Debug: Using cached certificate for ca Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate_request for puppet-client.example.net Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Debug: Using cached certificate for ca Debug: Creating new connection for https://puppet-3-7:8140 Exiting; no certificate found and waitforcert is disabled Then on the master: # puppet cert list # I have a 2.7 puppet environment that works very well and I am well accustomed to dealing with the certs. The auth.conf file looks okay, too: # allow nodes to request a new certificate path /certificate_request auth any method find, save allow * Can anyone help interpret the debug messages above? Or point me in the correct direction? Thanks! -m -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/568EF4A3.4020607%40alter3d.ca. For more options, visit https://groups.google.com/d/optout.