FAQ
Hi all,

I am seeing some very curious behaviour with puppet enterprise (on a
trial license to evaluate, before I get redirected there :) )

I have client systems (RHEL) being kickstarted and installing pe-puppet
and a couple of other basic packages, before using
puppet agent -t --environment bootstrap --server PUPPETSERVER

To ensure the rest of the bootstrapping takes place properly.
Only puppet configuration takes place in the 'bootstrap' environment.

This part works fine - I have autosigning configured on my puppetmaster
for these hosts.

I really do not want to have to muck about NFS mounting/copying the
entire PE installation directory on all the boxes here, should we decide
to deploy it. That's really not scalable at all.

It looks like the preliminary puppet run is receiving a cert and then
using that to connect to the puppet master, which works just fine, but
then once the node has rebooted, a completely new key pair appears to
have been generated on the client system, which no longer matches that
on the master.

for more information (and info to backup my point):
http://fpaste.org/WGuW/

I can't quite figure out when this new cert is being created, unless
this is buried somewhere in the PE initial run, which appears to
configure mcollective among many other things, although thus far I
cannot find where this configuration is assigned to nodes, so I'm not
100% clear which classes are applied.


With full debugging enabled,I see the first cert being signed in the
puppetmaster logs, as I'd expect.

Anyone have any ideas or pointers as to where I should start?
I'm at a bit of a loss here.

Stuart
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jo Rhett at May 22, 2012 at 10:10 am

    On May 22, 2012, at 2:15 AM, Stuart Sears wrote:
    It looks like the preliminary puppet run is receiving a cert and then using that to connect to the puppet master, which works just fine, but then once the node has rebooted, a completely new key pair appears to have been generated on the client system, which no longer matches that on the master.
    Seems likely that your host name is changing, thus it is generating a new certificate for the new hostname. I'll bet that if you can make the hostname/domain match between the two boots it will work fine.

    I have also heard of people using a single common cert for bootstrapping which is pre-signed in advance, and then the host gets their real cert after rebooting. YMMV.

    --
    Jo Rhett
    Net Consonance : net philanthropy to improve open source and internet projects.



    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Stuart Sears at May 22, 2012 at 10:13 am
    Unsurprisingly, all my fault, details below.
    On 22/05/12 10:15, Stuart Sears wrote:
    Hi all,

    I am seeing some very curious behaviour with puppet enterprise (on a
    trial license to evaluate, before I get redirected there :) )

    I have client systems (RHEL) being kickstarted and installing pe-puppet
    and a couple of other basic packages, before using
    puppet agent -t --environment bootstrap --server PUPPETSERVER

    To ensure the rest of the bootstrapping takes place properly.
    Only puppet configuration takes place in the 'bootstrap' environment.

    This part works fine - I have autosigning configured on my puppetmaster
    for these hosts.

    I really do not want to have to muck about NFS mounting/copying the
    entire PE installation directory on all the boxes here, should we decide
    to deploy it. That's really not scalable at all.

    It looks like the preliminary puppet run is receiving a cert and then
    using that to connect to the puppet master, which works just fine, but
    then once the node has rebooted, a completely new key pair appears to
    have been generated on the client system, which no longer matches that
    on the master.

    for more information (and info to backup my point):
    http://fpaste.org/WGuW/

    I can't quite figure out when this new cert is being created, unless
    this is buried somewhere in the PE initial run, which appears to
    configure mcollective among many other things, although thus far I
    cannot find where this configuration is assigned to nodes, so I'm not
    100% clear which classes are applied.
    [ After a helpful comment from Vulcane in IRC. Thanks! ]

    My understanding of what went wrong, in case it helps others.

    okay, there is another private key in /var/opt/lib/pe-puppet/ssl that
    was used for the very first cert request.

    After the preliminary configuration run, puppet switches to using
    /etc/puppetlabs/puppet/ssl, where there is no private key yet. On the
    next run, there being no private key, one is generated. This no longer
    matches the certificate received from the master.

    Now running the original bootstrap puppet with --ssldir
    /etc/puppetlabs/puppet/ssl and all appears well.




    --
    Stuart Sears RHCA etc.
    "It's today!" said Piglet.
    "My favourite day," said Pooh.

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 22, '12 at 9:15a
activeMay 22, '12 at 10:13a
posts3
users2
websitepuppetlabs.com

2 users in discussion

Stuart Sears: 2 posts Jo Rhett: 1 post

People

Translate

site design / logo © 2022 Grokbase