FAQ
But I'm game, short of regenerating the new master's certificate & trying
the clients again anything to look at to test that theory?

Time is frequently a good place to look in crypto errors, but we rely on
Kerberos for just about everything which is also very time sensitive so
we're pretty scrupulous about time to the point of running our own stratum
1 CDMA time server. Now that's not to say things never go wrong there, but
when they do it's usually pretty obvious. I hadn't had my monitoring setup
on the new master when I generated the cert so I can't be 100% sure I can
see that the CA's worst offset in the past week was 1.68ms, while testing
yesterday afternoon the new master never got more than 1ms out.

The real kicker is that the FreeBSD clients could connect when calling the
server by it's primary DNS name but not by the shared service name, seems
if time were at issue that would not work either.

One thing that does jump out is the FreeBSD clients are using Ruby1.9 while
the Linux Clients and servers are on 1.8

Also the new master is using openssl 1.0.1 the older masters are using
0.9.8o and the FreeBSD Clients 0.9.8.y, though Linux clients use 0.9.8o and
1.0.1 so don't *think* that's it.

Thanks,
-Jon



On Tue, May 7, 2013 at 5:45 PM, Nathan Valentine wrote:

This smells like a problem related to incorrect system clock when the cert
was generated for the new master.?.

--
---
Nathan Valentine - nathan@puppetlabs.com
Puppet Labs Professional Services
GV: 415.504.2173
Skype: nrvale0

Join us at PuppetConf 2013, August 22-23 in San Francisco -
http://bit.ly/pupconf13
Register now and take advantage of the Early Bird discount - save 25%!

--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

Discussion Posts

Previous

Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 3 of 4 | next ›
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 7, '13 at 8:21p
activeMay 8, '13 at 2:12p
posts4
users2
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase