FAQ
I am making a huge mess, so I'd rather to start over and configure them.

This is a total newbie trying to setup something for his lab.... I think
this would also help many people out there..
*
Part I. *
I reinstalled puppetmaster and puppet on the master and client machine.

Here is the /etc/hosts for the master
127.0.0.1 localhost
127.0.1.1 ghive-ldap
10.10.0.57 ghive-ldap.abc.edu ghive-ldap
#10.10.0.57 ghive-ldap.abc.edu puppet
10.10.0.56 giab10

You see the line I commented out? In many tutorials, they say put the
default puuet after there. I am not sure if I am supposed to do that
(repeating a line like that...)? Everything else is default (our sys admin
sets up that way...)

Here is the /etc/hosts on the client
127.0.0.1 localhost
127.0.1.1 giab10

# The following lines are desirable for IPv6 capable hosts
::1 localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
130.55.57.51 ghive-ldap

I can ping puppet, ghive-ldap, giab10.....

So for this step one... how am I supposed to tweak things??? Uncomment what
I have?

----------------
*Part II.
*
I started puppetmaster on the master machine like this

Then on client:
sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session

It hangs there, so back to master and check the cert list
sudo puppet cert --list

I got none!

By the way, I have to add double dash in front of list, because of this:
sudo puppet cert list
Invalid method to apply

So what should I do? I am not sure where the Doc covers this...
Should I issue sudo puppetca --sign giab10 on the master???

Please guide me through this. Thanks!


--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Dan White at Jun 14, 2012 at 9:53 pm
    Silly Question Number One:

    What node definitions do you have in your manifest ?

    Classically, you have *.pp files in /etc/puppet/manifest/nodes that are referenced from /etc/puppet/manifest/site.pp

    As an example, this line is in my site.pp file:

    import "nodes/*-nodes.pp"


    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    I am making a huge mess, so I'd rather to start over and configure them.

    This is a total newbie trying to setup something for his lab.... I think
    this would also help many people out there..
    *
    Part I. *
    I reinstalled puppetmaster and puppet on the master and client machine.

    Here is the /etc/hosts for the master
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.abc.edu ghive-ldap
    #10.10.0.57 ghive-ldap.abc.edu puppet
    10.10.0.56 giab10

    You see the line I commented out? In many tutorials, they say put the
    default puuet after there. I am not sure if I am supposed to do that
    (repeating a line like that...)? Everything else is default (our sys admin
    sets up that way...)

    Here is the /etc/hosts on the client
    127.0.0.1 localhost
    127.0.1.1 giab10

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    130.55.57.51 ghive-ldap

    I can ping puppet, ghive-ldap, giab10.....

    So for this step one... how am I supposed to tweak things??? Uncomment what
    I have?

    ----------------
    *Part II.
    *
    I started puppetmaster on the master machine like this

    Then on client:
    sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session

    It hangs there, so back to master and check the cert list
    sudo puppet cert --list

    I got none!

    By the way, I have to add double dash in front of list, because of this:
    sudo puppet cert list
    Invalid method to apply

    So what should I do? I am not sure where the Doc covers this...
    Should I issue sudo puppetca --sign giab10 on the master???

    Please guide me through this. Thanks!


    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 14, 2012 at 10:22 pm
    Dear Ygor,

    I am afraid I don't have any node definition. I search through... none.

    We basically first blueprint our blueprint machine, generate puppet files,
    and then move them to the puppetmaster's /etc/puppet/modules
    Then there is an init.pp file.

    root@ghive-ldap:/etc/puppet# ls -r
    ssl modules manifests

    root@ghive-ldap:/etc/puppet/manifests# ls (gives none...)

    root@ghive-ldap:/etc/puppet/modules# ls
    files manifests templates

    root@ghive-ldap:/etc/puppet/modules/manifests# ls
    init.pp

    I don't have site.pp... according to the previous tech's manual (giab012412
    is the blueprint name, used to generate puppets)
    Then, in /etc/puppet/manifests/site.pp modify the line that reads
    "include giab.." to say "include giab012412". This will tell the
    puppetmaster
    to apply the new giab blueprint to all giabs that connect to it.


    Thanks...
    Sorry for making things so confusing...

    John
    On Thursday, June 14, 2012 5:53:53 PM UTC-4, Ygor wrote:

    Silly Question Number One:

    What node definitions do you have in your manifest ?

    Classically, you have *.pp files in /etc/puppet/manifest/nodes that are
    referenced from /etc/puppet/manifest/site.pp

    As an example, this line is in my site.pp file:

    import "nodes/*-nodes.pp"


    “Sometimes I think the surest sign that intelligent life exists elsewhere
    in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    I am making a huge mess, so I'd rather to start over and configure them.

    This is a total newbie trying to setup something for his lab.... I think
    this would also help many people out there..
    *
    Part I. *
    I reinstalled puppetmaster and puppet on the master and client machine.

    Here is the /etc/hosts for the master
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.abc.edu ghive-ldap
    #10.10.0.57 ghive-ldap.abc.edu puppet
    10.10.0.56 giab10

    You see the line I commented out? In many tutorials, they say put the
    default puuet after there. I am not sure if I am supposed to do that
    (repeating a line like that...)? Everything else is default (our sys admin
    sets up that way...)

    Here is the /etc/hosts on the client
    127.0.0.1 localhost
    127.0.1.1 giab10

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    130.55.57.51 ghive-ldap

    I can ping puppet, ghive-ldap, giab10.....

    So for this step one... how am I supposed to tweak things??? Uncomment what
    I have?

    ----------------
    *Part II.
    *
    I started puppetmaster on the master machine like this

    Then on client:
    sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session

    It hangs there, so back to master and check the cert list
    sudo puppet cert --list

    I got none!

    By the way, I have to add double dash in front of list, because of this:
    sudo puppet cert list
    Invalid method to apply

    So what should I do? I am not sure where the Doc covers this...
    Should I issue sudo puppetca --sign giab10 on the master???

    Please guide me through this. Thanks!


    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aeE-5g1vAWkJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Dan White at Jun 14, 2012 at 10:26 pm
    Without a default node definition as an absolute minimum,
    what is the Puppet Master supposed to do when queried by the Puppet Client/Agent ?

    I believe it will do exactly what your servers are doing: bupkis !

    http://en.wiktionary.org/wiki/bupkis

    “Sometimes I think the surest sign that intelligent life exists elsewhere in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    Dear Ygor,

    I am afraid I don't have any node definition. I search through... none.

    We basically first blueprint our blueprint machine, generate puppet files,
    and then move them to the puppetmaster's /etc/puppet/modules
    Then there is an init.pp file.

    root@ghive-ldap:/etc/puppet# ls -r
    ssl modules manifests

    root@ghive-ldap:/etc/puppet/manifests# ls (gives none...)

    root@ghive-ldap:/etc/puppet/modules# ls
    files manifests templates

    root@ghive-ldap:/etc/puppet/modules/manifests# ls
    init.pp

    I don't have site.pp... according to the previous tech's manual (giab012412
    is the blueprint name, used to generate puppets)
    Then, in /etc/puppet/manifests/site.pp modify the line that reads
    "include giab.." to say "include giab012412". This will tell the
    puppetmaster
    to apply the new giab blueprint to all giabs that connect to it.


    Thanks...
    Sorry for making things so confusing...

    John
    On Thursday, June 14, 2012 5:53:53 PM UTC-4, Ygor wrote:

    Silly Question Number One:

    What node definitions do you have in your manifest ?

    Classically, you have *.pp files in /etc/puppet/manifest/nodes that are
    referenced from /etc/puppet/manifest/site.pp

    As an example, this line is in my site.pp file:

    import "nodes/*-nodes.pp"


    “Sometimes I think the surest sign that intelligent life exists elsewhere
    in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    I am making a huge mess, so I'd rather to start over and configure them.

    This is a total newbie trying to setup something for his lab.... I think
    this would also help many people out there..
    *
    Part I. *
    I reinstalled puppetmaster and puppet on the master and client machine.

    Here is the /etc/hosts for the master
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.abc.edu ghive-ldap
    #10.10.0.57 ghive-ldap.abc.edu puppet
    10.10.0.56 giab10

    You see the line I commented out? In many tutorials, they say put the
    default puuet after there. I am not sure if I am supposed to do that
    (repeating a line like that...)? Everything else is default (our sys admin
    sets up that way...)

    Here is the /etc/hosts on the client
    127.0.0.1 localhost
    127.0.1.1 giab10

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    130.55.57.51 ghive-ldap

    I can ping puppet, ghive-ldap, giab10.....

    So for this step one... how am I supposed to tweak things??? Uncomment what
    I have?

    ----------------
    *Part II.
    *
    I started puppetmaster on the master machine like this

    Then on client:
    sudo puppet agent --server ghive-ldap --waitforcert 60 --test --verbose
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session

    It hangs there, so back to master and check the cert list
    sudo puppet cert --list

    I got none!

    By the way, I have to add double dash in front of list, because of this:
    sudo puppet cert list
    Invalid method to apply

    So what should I do? I am not sure where the Doc covers this...
    Should I issue sudo puppetca --sign giab10 on the master???

    Please guide me through this. Thanks!


    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/aeE-5g1vAWkJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 14, 2012 at 11:39 pm
    Dear Ygor,

    Thank you for the guidance.
    I didn't know we have to specify one... almost every single tutorial I
    visit didn't mention it :( bad...
    http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/

    Based on that tutorial, since I blueprint my server....

    I ran puppetd --test on client and didn't get anything back. No one is
    waiting to be signed by the master.
    warning: peer certificate won't be verified in this SSL session
    Exiting; no certificate found and waitforcert is disabled


    Structure of my Master
    fileserver.conf
    manifests ===> site.pp
    modules ===> giab061112
    ===> files ==> tmp

    ==> xxxxxxxxxxx.tar
    manifests
    ==> init.pp
    templates
    ==> etc files
    ssl

    site.pp has the following ('giab10' is the host name of the client)

    node giab061112 {
    include giab061112
    }

    node 'giab10' inherits giab061112 {
    }

    The fileserver.conf is setup like this (the ip for client is
    10.10.0.56....)
    [giab061112]
    path /etc/puppet/modules/giab061112/files
    allow 10.10.0.0/56

    Any idea? Thanks!



    On Thursday, June 14, 2012 6:26:05 PM UTC-4, Ygor wrote:

    Without a default node definition as an absolute minimum,
    what is the Puppet Master supposed to do when queried by the Puppet
    Client/Agent ?

    I believe it will do exactly what your servers are doing: bupkis !

    http://en.wiktionary.org/wiki/bupkis

    “Sometimes I think the surest sign that intelligent life exists elsewhere
    in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    Dear Ygor,

    I am afraid I don't have any node definition. I search through... none.

    We basically first blueprint our blueprint machine, generate puppet files,
    and then move them to the puppetmaster's /etc/puppet/modules
    Then there is an init.pp file.

    root@ghive-ldap:/etc/puppet# ls -r
    ssl modules manifests

    root@ghive-ldap:/etc/puppet/manifests# ls (gives none...)

    root@ghive-ldap:/etc/puppet/modules# ls
    files manifests templates

    root@ghive-ldap:/etc/puppet/modules/manifests# ls
    init.pp

    I don't have site.pp... according to the previous tech's manual
    (giab012412
    is the blueprint name, used to generate puppets)
    Then, in /etc/puppet/manifests/site.pp modify the line that reads
    "include giab.." to say "include giab012412". This will tell the
    puppetmaster
    to apply the new giab blueprint to all giabs that connect to it.


    Thanks...
    Sorry for making things so confusing...

    John
    On Thursday, June 14, 2012 5:53:53 PM UTC-4, Ygor wrote:

    Silly Question Number One:

    What node definitions do you have in your manifest ?

    Classically, you have *.pp files in /etc/puppet/manifest/nodes that
    are
    referenced from /etc/puppet/manifest/site.pp

    As an example, this line is in my site.pp file:

    import "nodes/*-nodes.pp"


    “Sometimes I think the surest sign that intelligent life exists
    elsewhere
    in the universe is that none of it has tried to contact us.”
    Bill Waterson (Calvin & Hobbes)

    ----- tas wrote:
    I am making a huge mess, so I'd rather to start over and configure
    them.
    This is a total newbie trying to setup something for his lab.... I
    think
    this would also help many people out there..
    *
    Part I. *
    I reinstalled puppetmaster and puppet on the master and client
    machine.
    Here is the /etc/hosts for the master
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.abc.edu ghive-ldap
    #10.10.0.57 ghive-ldap.abc.edu puppet
    10.10.0.56 giab10

    You see the line I commented out? In many tutorials, they say put
    the
    default puuet after there. I am not sure if I am supposed to do that
    (repeating a line like that...)? Everything else is default (our sys admin
    sets up that way...)

    Here is the /etc/hosts on the client
    127.0.0.1 localhost
    127.0.1.1 giab10

    # The following lines are desirable for IPv6 capable hosts
    ::1 localhost ip6-localhost ip6-loopback
    fe00::0 ip6-localnet
    ff00::0 ip6-mcastprefix
    ff02::1 ip6-allnodes
    ff02::2 ip6-allrouters
    130.55.57.51 ghive-ldap

    I can ping puppet, ghive-ldap, giab10.....

    So for this step one... how am I supposed to tweak things???
    Uncomment
    what
    I have?

    ----------------
    *Part II.
    *
    I started puppetmaster on the master machine like this

    Then on client:
    sudo puppet agent --server ghive-ldap --waitforcert 60 --test
    --verbose
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session

    It hangs there, so back to master and check the cert list
    sudo puppet cert --list

    I got none!

    By the way, I have to add double dash in front of list, because of
    this:
    sudo puppet cert list
    Invalid method to apply

    So what should I do? I am not sure where the Doc covers this...
    Should I issue sudo puppetca --sign giab10 on the master???

    Please guide me through this. Thanks!


    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/jWD3_YwGhcsJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google
    Groups "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/aeE-5g1vAWkJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/qNnqu5DR8_wJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Jun 15, 2012 at 2:31 pm

    On Thursday, June 14, 2012 6:39:36 PM UTC-5, tas wrote:
    Dear Ygor,

    Thank you for the guidance.
    I didn't know we have to specify one... almost every single tutorial I
    visit didn't mention it :( bad...

    http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
    Do you mean like this section from that article?

    4. Edit /etc/puppet/manifests/site.pp, this is the default file puppet
    looks for, and loads first. For now you probably want to do it in here, but
    later put it into node.pp or something(assuming client name is
    blogtest.test.com)

    node vpsblueprint {
    include vps_blueprint
    }

    node 'blogtest.test.com' inherits vpsblueprint{
    }

    This tells puppet for the client connecting with the hostname
    blogtest.test.com it should use the vpsblueprint node, which includes the
    vps_blueprint module.

    I must say that I have not noticed tutorials to be systematically deficient
    in that regard. Puppetlabs's own cover the topic, and I don't recall
    seeing any full-blown tutorials that miss it. More narrowly-focused
    tutorials might omit it where it would be out of scope, of course.

    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dprdzL7sH8cJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 15, 2012 at 4:24 pm
    Thanks John.
    Yes. So I have a similar node configuration setup, as described in the
    previous post. I am writing out these steps so I can document this and
    hopefully will benefit more people....

    on master:
    service puppetmaster stop
    service puppetmaster start

    on client
    service puppet stop
    puppet agent --test

    Check cert list on master, none.

    *NOW*

    on client, delete sudo rm -rf /var/lib/puppet/ssl
    then run sudo puppetd -tdv

    info: Creating a new SSL key for giab10
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for ca
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Creating a new SSL certificate request for giab10
    info: Certificate Request fingerprint (md5): FF:FF:...........

    Wow...

    Back to master....

    sudo puppetca --list
    giab10 (FF:FF:...................)
    glasslab@ghive-ldap:~$ sudo puppet cert sign giab1
    notice: Signed certificate request for giab10
    notice: Removing file Puppet::SSL::CertificateRequest giab10 at
    '/etc/puppet/ssl/ca/requests/giab10.pem'
    Cool.

    Can we test again? Back to client...

    sudo puppet agent --test
    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server certificate B: certificate verify failed
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run

    AHHHH... Try this? First delete the ssl....

    sudo rm -rf /etc/puppet/ssl/

    giabadmin@giab10:~$ sudo puppet agent --server puppet --waitforcert 60
    --test --verbose

    sudo puppet agent --server ghive-ldap --waitforcert 60 --test
    --verbose

    or
    sudo puppet agent --test

    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server certificate B: certificate verify failed
    warning: Not using cache on failed catalog



    NO LUCK....
    Where's the problem?

    Thanks.

    On Friday, June 15, 2012 10:31:50 AM UTC-4, jcbollinger wrote:


    On Thursday, June 14, 2012 6:39:36 PM UTC-5, tas wrote:

    Dear Ygor,

    Thank you for the guidance.
    I didn't know we have to specify one... almost every single tutorial I
    visit didn't mention it :( bad...

    http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
    Do you mean like this section from that article?

    4. Edit /etc/puppet/manifests/site.pp, this is the default file puppet
    looks for, and loads first. For now you probably want to do it in here, but
    later put it into node.pp or something(assuming client name is
    blogtest.test.com)

    node vpsblueprint {
    include vps_blueprint
    }

    node 'blogtest.test.com' inherits vpsblueprint{
    }

    This tells puppet for the client connecting with the hostname
    blogtest.test.com it should use the vpsblueprint node, which includes the
    vps_blueprint module.

    I must say that I have not noticed tutorials to be systematically
    deficient in that regard. Puppetlabs's own cover the topic, and I don't
    recall seeing any full-blown tutorials that miss it. More narrowly-focused
    tutorials might omit it where it would be out of scope, of course.

    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/t_kEkkr1M3kJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 15, 2012 at 4:32 pm
    By the way,

    sudo puppetd -tdv did this again I receive the same SSL error....

    My /etc/hosts on client looks like this
    134.74.77.21 ghive-ldap.domain.com ghive-ldap puppet

    On the client I have this
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.domain.com ghive-ldap
    10.10.0.57 ghive-ldap.domain.com puppet <--------- I added this
    line myself
    10.10.0.56 giab10
    On Friday, June 15, 2012 12:24:04 PM UTC-4, tas wrote:

    Thanks John.
    Yes. So I have a similar node configuration setup, as described in the
    previous post. I am writing out these steps so I can document this and
    hopefully will benefit more people....

    on master:
    service puppetmaster stop
    service puppetmaster start

    on client
    service puppet stop
    puppet agent --test

    Check cert list on master, none.

    *NOW*

    on client, delete sudo rm -rf /var/lib/puppet/ssl
    then run sudo puppetd -tdv

    info: Creating a new SSL key for giab10
    warning: peer certificate won't be verified in this SSL session
    info: Caching certificate for ca
    warning: peer certificate won't be verified in this SSL session
    warning: peer certificate won't be verified in this SSL session
    info: Creating a new SSL certificate request for giab10
    info: Certificate Request fingerprint (md5): FF:FF:...........

    Wow...

    Back to master....

    sudo puppetca --list
    giab10 (FF:FF:...................)
    glasslab@ghive-ldap:~$ sudo puppet cert sign giab1
    notice: Signed certificate request for giab10
    notice: Removing file Puppet::SSL::CertificateRequest giab10 at
    '/etc/puppet/ssl/ca/requests/giab10.pem'
    Cool.

    Can we test again? Back to client...

    sudo puppet agent --test
    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server certificate B: certificate verify failed
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run

    AHHHH... Try this? First delete the ssl....

    sudo rm -rf /etc/puppet/ssl/

    giabadmin@giab10:~$ sudo puppet agent --server puppet --waitforcert 60
    --test --verbose

    sudo puppet agent --server ghive-ldap --waitforcert 60 --test
    --verbose

    or
    sudo puppet agent --test

    err: Could not retrieve catalog from remote server: SSL_connect returned=1
    errno=0 state=SSLv3 read server certificate B: certificate verify failed
    warning: Not using cache on failed catalog



    NO LUCK....
    Where's the problem?

    Thanks.

    On Friday, June 15, 2012 10:31:50 AM UTC-4, jcbollinger wrote:


    On Thursday, June 14, 2012 6:39:36 PM UTC-5, tas wrote:

    Dear Ygor,

    Thank you for the guidance.
    I didn't know we have to specify one... almost every single tutorial I
    visit didn't mention it :( bad...

    http://pratikamin.wordpress.com/2011/05/24/turning-a-blueprint-puppet-recipe-into-a-puppet-deployment/
    Do you mean like this section from that article?

    4. Edit /etc/puppet/manifests/site.pp, this is the default file puppet
    looks for, and loads first. For now you probably want to do it in here, but
    later put it into node.pp or something(assuming client name is
    blogtest.test.com)

    node vpsblueprint {
    include vps_blueprint
    }

    node 'blogtest.test.com' inherits vpsblueprint{
    }

    This tells puppet for the client connecting with the hostname
    blogtest.test.com it should use the vpsblueprint node, which includes
    the vps_blueprint module.

    I must say that I have not noticed tutorials to be systematically
    deficient in that regard. Puppetlabs's own cover the topic, and I don't
    recall seeing any full-blown tutorials that miss it. More narrowly-focused
    tutorials might omit it where it would be out of scope, of course.

    John
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QrFmi9w1bxoJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Jcbollinger at Jun 15, 2012 at 10:29 pm

    On Friday, June 15, 2012 11:32:11 AM UTC-5, tas wrote:
    By the way,

    sudo puppetd -tdv did this again I receive the same SSL error....

    My /etc/hosts on client looks like this
    134.74.77.21 ghive-ldap.domain.com ghive-ldap puppet

    On the client I have this
    127.0.0.1 localhost
    127.0.1.1 ghive-ldap
    10.10.0.57 ghive-ldap.domain.com ghive-ldap
    10.10.0.57 ghive-ldap.domain.com puppet <--------- I added this
    line myself
    10.10.0.56 giab10
    That duplication of the entry for 10.10.0.57 is non-standard, and quite
    possibly either won't do what you hope or will have unwanted side effects.
    Hosts lines support multiple aliases, so you should instead append the
    "puppet" alias to the first 10.10.0.57 entry.


    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/QU7ZGPvQ6mQJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Philip Brown at Jun 15, 2012 at 4:44 pm

    On Thursday, June 14, 2012 3:26:05 PM UTC-7, Ygor wrote:
    Without a default node definition as an absolute minimum,
    what is the Puppet Master supposed to do when queried by the Puppet
    Client/Agent ?

    I believe it will do exactly what your servers are doing: bupkis !


    Minor point of pedantry:

    While I think having node definitions are a good idea; technically
    speaking, I dont think they are required. I think it is possible to have a
    site.pp that does exactly the same thing for all machines, and that is
    technically "legal" puppetry.

    But I'm not an expert, so please take my statement with a grain of salt.


    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/v9vv59Wza30J.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tas at Jun 15, 2012 at 4:57 pm
    Thanks for the suggestion, Phillp. Keep this thread alive :))) I mean docs
    are great, but sometimes a more comprehensive step-by-step like this one
    might serve better.
    Any case, anyone know how to deal with the latest issue I have above?

    Thanks...
    On Friday, June 15, 2012 12:44:44 PM UTC-4, Philip Brown wrote:


    On Thursday, June 14, 2012 3:26:05 PM UTC-7, Ygor wrote:

    Without a default node definition as an absolute minimum,
    what is the Puppet Master supposed to do when queried by the Puppet
    Client/Agent ?

    I believe it will do exactly what your servers are doing: bupkis !


    Minor point of pedantry:

    While I think having node definitions are a good idea; technically
    speaking, I dont think they are required. I think it is possible to have a
    site.pp that does exactly the same thing for all machines, and that is
    technically "legal" puppetry.

    But I'm not an expert, so please take my statement with a grain of salt.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/5cW9VGx-_JIJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedJun 14, '12 at 9:35p
activeJun 15, '12 at 10:29p
posts11
users4
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase