FAQ
I have set up two puppet masters (load balanced) with a separate ca
server(ca is set false on masters). I brought up a new server for puppetDB.
It got certs signed from ca_server and ran puppet agent without any issue.
But when I started puppetdb and changed puppet master's conf to use
puppetdb(as per docs for puppetdb). This error started to come and
basically stopped puppet run

Thu Nov 29 10:17:51 +0000 2012 Puppet (err): Could not retrieve catalog
from remote server: Error 400 on SERVER: Failed to submit 'replace facts'
command for XXX to PuppetDB at puppetdb.aus-tx.colo:8081: SSL_connect
SYSCALL returned=5 errno=0 state=SSLv3 read finished A

The puppetdb log throws

[qtp665563146-341] [io.nio] javax.net.ssl.SSLHandshakeException: null
cert chain

I tested a https curl using command
curl -H "Accept: application/json" 'https://puppetdb:8081/facts' --cacert
/var/lib/puppet/ssl/certs/ca.pem --cert
/var/lib/puppet/ssl/certs/puppetmaster.pem --key
/var/lib/puppet/ssl/private_keys/puppetmaster.pem

The curl didnt throw any error

I am struck here for a long time. Pls do share your expertise

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/DbYcBIS1hqEJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Felipe Salum at Nov 29, 2012 at 6:25 pm
    I had the same setup issue.

    Go to your CA server and copy the puppet master unique certname .pem from
    /var/lib/puppet/ssl/{certs,private_key/ to both your puppet master workers
    and restart apache.

    Also make sure to follow this:
    http://docs.puppetlabs.com/guides/scaling_multiple_masters.html

    The dns_alt_names part is very important:

    $ sudo puppet agent --test --dns_alt_names "master2.example.com,puppet,puppet.example.com"


    I hope it helps, I spent a few hours until I got it figured out :)

    Regards,
    Felipe
    On Thursday, November 29, 2012 3:31:59 AM UTC-8, Kalyana sundaram wrote:

    I have set up two puppet masters (load balanced) with a separate ca
    server(ca is set false on masters). I brought up a new server for puppetDB.
    It got certs signed from ca_server and ran puppet agent without any issue.
    But when I started puppetdb and changed puppet master's conf to use
    puppetdb(as per docs for puppetdb). This error started to come and
    basically stopped puppet run

    Thu Nov 29 10:17:51 +0000 2012 Puppet (err): Could not retrieve catalog
    from remote server: Error 400 on SERVER: Failed to submit 'replace facts'
    command for XXX to PuppetDB at puppetdb.aus-tx.colo:8081: SSL_connect
    SYSCALL returned=5 errno=0 state=SSLv3 read finished A

    The puppetdb log throws

    [qtp665563146-341] [io.nio] javax.net.ssl.SSLHandshakeException: null
    cert chain

    I tested a https curl using command
    curl -H "Accept: application/json" 'https://puppetdb:8081/facts'
    --cacert /var/lib/puppet/ssl/certs/ca.pem --cert
    /var/lib/puppet/ssl/certs/puppetmaster.pem --key
    /var/lib/puppet/ssl/private_keys/puppetmaster.pem

    The curl didnt throw any error

    I am struck here for a long time. Pls do share your expertise
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/0g0BjWoGEnoJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Kalyana sundaram at Nov 30, 2012 at 8:09 pm
    Thanks Felipe
    Syncing certs privatekeys with ca_server worked
    But could somebody help me understand why each masters should have ca
    server's private key?
    How exactly this authentication process works?
    On Thursday, November 29, 2012 11:55:08 PM UTC+5:30, Felipe Salum wrote:

    I had the same setup issue.

    Go to your CA server and copy the puppet master unique certname .pem from
    /var/lib/puppet/ssl/{certs,private_key/ to both your puppet master workers
    and restart apache.

    Also make sure to follow this:
    http://docs.puppetlabs.com/guides/scaling_multiple_masters.html

    The dns_alt_names part is very important:

    $ sudo puppet agent --test --dns_alt_names "master2.example.com,puppet,puppet.example.com"


    I hope it helps, I spent a few hours until I got it figured out :)

    Regards,
    Felipe
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/dleFJ_6wh-EJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Felipe Salum at Nov 30, 2012 at 9:13 pm
    I'm not sure if I'm correct but what I understood after spending a few
    hours on it:

    Let's suppose you have:

    certname: puppet.example.com

    puppet_ca.example.com
    puppet_worker1.example.com
    puppet_worker2.example.com
    puppetdb1.example.com

    Your PuppetDB registered with your CA using the certname puppet.example.com,
    but your puppet workers only have their own certnames (
    puppet_worker1.example.com and puppet_worker2.example.com). When they talk
    with PuppetDB to fetch/replace the facts, PuppetDB doesn't accept their
    certificates because it was registered to the certname puppet.example.com.

    Copying the puppet.example.com certificate from CA to the workers make them
    to use it when responding to a puppet run under that certname.

    Felipe
    On Fri, Nov 30, 2012 at 12:09 PM, Kalyana sundaram wrote:

    Thanks Felipe
    Syncing certs privatekeys with ca_server worked
    But could somebody help me understand why each masters should have ca
    server's private key?
    How exactly this authentication process works?
    On Thursday, November 29, 2012 11:55:08 PM UTC+5:30, Felipe Salum wrote:

    I had the same setup issue.

    Go to your CA server and copy the puppet master unique certname .pem
    from /var/lib/puppet/ssl/{certs,**private_key/ to both your puppet
    master workers and restart apache.

    Also make sure to follow this: http://docs.puppetlabs.com/**
    guides/scaling_multiple_**masters.html<http://docs.puppetlabs.com/guides/scaling_multiple_masters.html>

    The dns_alt_names part is very important:

    $ sudo puppet agent --test --dns_alt_names "master2.example.com,puppet,pu**ppet.example.com <http://puppet.example.com>"


    I hope it helps, I spent a few hours until I got it figured out :)

    Regards,
    Felipe

    --
    You received this message because you are subscribed to the Google Groups
    "Puppet Users" group.
    To view this discussion on the web visit
    https://groups.google.com/d/msg/puppet-users/-/dleFJ_6wh-EJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to
    puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at
    http://groups.google.com/group/puppet-users?hl=en.
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Kalyana sundaram at Dec 1, 2012 at 9:43 pm
    If Iam right, puppet usually sends certs with its name
    $ssldir/certs/<node>.pem and uses private key
    $ssldir/private_keys/<node>.pem But now how it uses $ssldir/certs/ca.pem
    and correctly uses private key $ssldir/private_keys/<ca_server>.pem ?
    And Am I right that puppetdb requires ca.pem signed by private key of ca
    during fetch/replace request?

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedNov 29, '12 at 2:53p
activeDec 1, '12 at 9:43p
posts5
users2
websitepuppetlabs.com

2 users in discussion

Kalyana sundaram: 3 posts Felipe Salum: 2 posts

People

Translate

site design / logo © 2022 Grokbase