Grokbase Groups Puppet puppet-users June 2012
FAQ
I am deploying a new puppetmaster. I have old puppet nodes running. The old
master is completely gone.

On puppet client,

sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose

But "name or service not known", so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file.
I ran again, now SSL problem:

err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this
http://pastebin.com/mc1dbXdH
Been 5 minutes, I cancelled it, realize it wouldn't go anywhere...

Then I tried this on the master
sudo puppetca --sign server1
It said...
err: Could not call revoke: Could not find a serial number for server1

Did this....
sudo puppetca --sign giab10
err: Could not call sign: Could not find certificate request for giab10
sudo puppetca --list --all
+ my_puppet_master (finderprint value goes here....)


What should I do? Neither is contacting each other?

Please help? Thanks







--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/wnpR1A1VUyQJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Repoman at Jun 13, 2012 at 8:26 pm
    Okay. I can signed now..
    sudo puppetca -s server1
    Did this on master, and then ran the test command on agent... will throw

    sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose

    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for server1
    err: Could not retrieve catalog from remote server: hostname was not match
    with the server certificate
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run

    On Wednesday, June 13, 2012 4:20:49 PM UTC-4, repoman wrote:

    I am deploying a new puppetmaster. I have old puppet nodes running. The
    old master is completely gone.

    On puppet client,

    sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose

    But "name or service not known", so I edited /etc/hosts, added *ip_address puppetmaster* to the hosts file.
    I ran again, now SSL problem:

    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server certificate B: certificate verify failed
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this
    http://pastebin.com/mc1dbXdH
    Been 5 minutes, I cancelled it, realize it wouldn't go anywhere...

    Then I tried this on the master
    sudo puppetca --sign server1
    It said...
    err: Could not call revoke: Could not find a serial number for server1

    Did this....
    sudo puppetca --sign giab10
    err: Could not call sign: Could not find certificate request for giab10
    sudo puppetca --list --all
    + my_puppet_master (finderprint value goes here....)


    What should I do? Neither is contacting each other?

    Please help? Thanks






    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jeD1MrsiyG0J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • James A. Peltier at Jun 13, 2012 at 9:20 pm

    ----- Original Message -----
    Okay. I can signed now..
    sudo puppetca -s server1
    Did this on master, and then ran the test command on agent... will
    throw

    sudo puppet agent --server puppetmaster --waitforcert 60 --test
    --verbose

    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for server1
    err: Could not retrieve catalog from remote server: hostname was not
    match
    with the server certificate
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    I just finished a migration and the issues I ran into were making sure that the DNS names resolved correctly to the new host and that the new host SSL key was signed by the original CA

    --
    James A. Peltier
    Manager, IT Services - Research Computing Group
    Simon Fraser University - Burnaby Campus
    Phone : 778-782-6573
    Fax : 778-782-3045
    E-Mail : jpeltier@sfu.ca
    Website : http://www.sfu.ca/itservices
    http://blogs.sfu.ca/people/jpeltier

    Success is to be measured not so much by the position that one has reached
    in life but as by the obstacles they have overcome. - Booker T. Washington

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Nick Fagerlund at Jun 13, 2012 at 9:23 pm

    On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:

    err: Could not retrieve catalog from remote server: hostname was not match
    with the server certificate
    Hey, repoman,

    This is a dns_alt_names problem. (Setting info:
    http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames)

    Short version is that the hostname you contact the puppet master at MUST be
    included in its SSL certificate. By default, only the master's certname and
    the special default hostname "puppet" are included. If "puppetmaster" isn't
    the certname of your master (check by running puppet master --configprint
    certname), you'll need to either re-generate its cert or configure agents
    to use one of the names in its certificate.

    To view the cert and confirm that "puppetmaster" isn't in it:

    puppet cert print (whatever the master's certname is)

    To regenerate the master's cert:

    puppet cert clean (whatever the master's certname is)
    puppet cert generate --dns_alt_names puppetmaster (whatever the master's
    certname is)

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/8Yr6Xv5XOm0J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Repoman at Jun 14, 2012 at 1:24 am
    Hi Nick and James,

    You want me to do that on Master? I just did. I can't do that on the client.

    Master:

    $ puppet master --configprint certname
    master (I am using alias name from now on... you see it is not
    puppetmaster)
    $ puppet cert clean master
    notice: Revoked certificate with serial 2
    notice: Removing file Puppet::SSL::Certificate master at
    '/var/lib/puppet/ssl/ca/signed/master.pem'
    notice: Removing file Puppet::SSL::Certificate master at
    '/var/lib/puppet/ssl/certs/master.pem'
    notice: Removing file Puppet::SSL::Key master at
    '/var/lib/puppet/ssl/private_keysmaster.pem'


    $ puppet cert generate --dns_alt_names puppetmaster master
    notice: master has a waiting certificate request
    notice: Signed certificate request for master
    notice: Removing file Puppet::SSL::CertificateRequest master at
    '/var/lib/puppet/ssl/ca/requests/master.pem'
    notice: Removing file Puppet::SSL::CertificateRequest master at
    '/var/lib/puppet/ssl/certificate_requests/master.pem'


    Now I see the following in master.pem
    X509v3 Subject Alternative Name:
    DNS:master, DNS:puppetmaster

    But ran the test again, and still complain not matched./

    Thanks.


    On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund wrote:


    On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:

    err: Could not retrieve catalog from remote server: hostname was not
    match with the server certificate
    Hey, repoman,

    This is a dns_alt_names problem. (Setting info:
    http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames
    )

    Short version is that the hostname you contact the puppet master at MUST
    be included in its SSL certificate. By default, only the master's certname
    and the special default hostname "puppet" are included. If "puppetmaster"
    isn't the certname of your master (check by running puppet master
    --configprint certname), you'll need to either re-generate its cert or
    configure agents to use one of the names in its certificate.

    To view the cert and confirm that "puppetmaster" isn't in it:

    puppet cert print (whatever the master's certname is)

    To regenerate the master's cert:

    puppet cert clean (whatever the master's certname is)
    puppet cert generate --dns_alt_names puppetmaster (whatever the master's
    certname is)
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/LHyvbXqLHPMJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 14, 2012 at 8:48 pm
    I am instead open a new one. I realize I am making a big mess... Thanks
    thus far.
    On Wednesday, June 13, 2012 9:24:16 PM UTC-4, tas wrote:

    Hi Nick and James,

    You want me to do that on Master? I just did. I can't do that on the
    client.

    Master:

    $ puppet master --configprint certname
    master (I am using alias name from now on... you see it is not
    puppetmaster)
    $ puppet cert clean master
    notice: Revoked certificate with serial 2
    notice: Removing file Puppet::SSL::Certificate master at
    '/var/lib/puppet/ssl/ca/signed/master.pem'
    notice: Removing file Puppet::SSL::Certificate master at
    '/var/lib/puppet/ssl/certs/master.pem'
    notice: Removing file Puppet::SSL::Key master at
    '/var/lib/puppet/ssl/private_keysmaster.pem'


    $ puppet cert generate --dns_alt_names puppetmaster master
    notice: master has a waiting certificate request
    notice: Signed certificate request for master
    notice: Removing file Puppet::SSL::CertificateRequest master at
    '/var/lib/puppet/ssl/ca/requests/master.pem'
    notice: Removing file Puppet::SSL::CertificateRequest master at
    '/var/lib/puppet/ssl/certificate_requests/master.pem'


    Now I see the following in master.pem
    X509v3 Subject Alternative Name:
    DNS:master, DNS:puppetmaster

    But ran the test again, and still complain not matched./

    Thanks.


    On Wednesday, June 13, 2012 5:23:32 PM UTC-4, Nick Fagerlund wrote:


    On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:

    err: Could not retrieve catalog from remote server: hostname was not
    match with the server certificate
    Hey, repoman,

    This is a dns_alt_names problem. (Setting info:
    http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames
    )

    Short version is that the hostname you contact the puppet master at MUST
    be included in its SSL certificate. By default, only the master's certname
    and the special default hostname "puppet" are included. If "puppetmaster"
    isn't the certname of your master (check by running puppet master
    --configprint certname), you'll need to either re-generate its cert or
    configure agents to use one of the names in its certificate.

    To view the cert and confirm that "puppetmaster" isn't in it:

    puppet cert print (whatever the master's certname is)

    To regenerate the master's cert:

    puppet cert clean (whatever the master's certname is)
    puppet cert generate --dns_alt_names puppetmaster (whatever the master's
    certname is)
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/HOdxa55k_8cJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 13, '12 at 8:21p
activeJun 14, '12 at 8:48p
posts6
users3
websitepuppetlabs.com

3 users in discussion

Tas: 4 posts James A. Peltier: 1 post Nick Fagerlund: 1 post

Content

People

Support

Translate

site design / logo © 2022 Grokbase