Re: Setting up puppetmaster
1,164 views
Skip to first unread message
repoman
Jun 13, 2012, 4:26:17 PM6/13/12
to puppet...@googlegroups.com
Okay. I can signed now..
sudo puppetca -s server1
Did this on master, and then ran the test command on agent... will throw
sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for server1
err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
On Wednesday, June 13, 2012 4:20:49 PM UTC-4, repoman wrote:
sudo puppetca -s server1
Did this on master, and then ran the test command on agent... will throw
sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for server1
err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
On Wednesday, June 13, 2012 4:20:49 PM UTC-4, repoman wrote:
I am deploying a new puppetmaster. I have old puppet nodes running. The old master is completely gone.
On puppet client,sudo puppet agent --server puppetmaster --waitforcert 60 --test --verbose
But "name or service not known", so I edited /etc/hosts, added ip_address puppetmaster to the hosts file.
I ran again, now SSL problem:err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
I removed /var/lib/puppet/ssl and /etc/puppet/ssl/, and gave me this http://pastebin.com/mc1dbXdH
Been 5 minutes, I cancelled it, realize it wouldn't go anywhere...
Then I tried this on the mastersudo puppetca --sign server1
It said...
err: Could not call revoke: Could not find a serial number for server1
Did this....sudo puppetca --sign giab10
err: Could not call sign: Could not find certificate request for giab10
sudo puppetca --list --all
+ my_puppet_master (finderprint value goes here....)
What should I do? Neither is contacting each other?
Please help? Thanks
James A. Peltier
Jun 13, 2012, 5:20:22 PM6/13/12
to puppet...@googlegroups.com
----- Original Message -----
| Okay. I can signed now..
| sudo puppetca -s server1
| Did this on master, and then ran the test command on agent... will
| throw
|
| sudo puppet agent --server puppetmaster --waitforcert 60 --test
| --verbose
|
| warning: peer certificate won't be verified in this SSL session
| info: Caching certificate for server1
| err: Could not retrieve catalog from remote server: hostname was not
| match
| with the server certificate
| warning: Not using cache on failed catalog
| err: Could not retrieve catalog; skipping run
I just finished a migration and the issues I ran into were making sure that the DNS names resolved correctly to the new host and that the new host SSL key was signed by the original CA
| Okay. I can signed now..
| sudo puppetca -s server1
| Did this on master, and then ran the test command on agent... will
| throw
|
| sudo puppet agent --server puppetmaster --waitforcert 60 --test
| --verbose
|
| warning: peer certificate won't be verified in this SSL session
| info: Caching certificate for server1
| err: Could not retrieve catalog from remote server: hostname was not
| match
| with the server certificate
| warning: Not using cache on failed catalog
| err: Could not retrieve catalog; skipping run
--
James A. Peltier
Manager, IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone : 778-782-6573
Fax : 778-782-3045
E-Mail : jpel...@sfu.ca
Website : http://www.sfu.ca/itservices
http://blogs.sfu.ca/people/jpeltier
Success is to be measured not so much by the position that one has reached
in life but as by the obstacles they have overcome. - Booker T. Washington
Nick Fagerlund
Jun 13, 2012, 5:23:32 PM6/13/12
to puppet...@googlegroups.com
On Wednesday, June 13, 2012 1:26:17 PM UTC-7, repoman wrote:
err: Could not retrieve catalog from remote server: hostname was not match with the server certificate
Hey, repoman,
This is a dns_alt_names problem. (Setting info: http://docs.puppetlabs.com/references/latest/configuration.html#dnsaltnames)
Short version is that the hostname you contact the puppet master at MUST be included in its SSL certificate. By default, only the master's certname and the special default hostname "puppet" are included. If "puppetmaster" isn't the certname of your master (check by running puppet master --configprint certname), you'll need to either re-generate its cert or configure agents to use one of the names in its certificate.
To view the cert and confirm that "puppetmaster" isn't in it:
puppet cert print (whatever the master's certname is)
To regenerate the master's cert:
puppet cert clean (whatever the master's certname is)
puppet cert generate --dns_alt_names puppetmaster (whatever the master's certname is)
repoman
Jun 13, 2012, 9:24:16 PM6/13/12
to puppet...@googlegroups.com
Hi Nick and James,
You want me to do that on Master? I just did. I can't do that on the client.
Master:
$ puppet master --configprint certname
master (I am using alias name from now on... you see it is not puppetmaster)
$ puppet cert clean master
notice: Revoked certificate with serial 2
notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/ca/signed/master.pem'
notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/certs/master.pem'
notice: Removing file Puppet::SSL::Key master at '/var/lib/puppet/ssl/private_keysmaster.pem'
$ puppet cert generate --dns_alt_names puppetmaster master
notice: master has a waiting certificate request
notice: Signed certificate request for master
notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/ca/requests/master.pem'
notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/certificate_requests/master.pem'
Now I see the following in master.pem
X509v3 Subject Alternative Name:
DNS:master, DNS:puppetmaster
But ran the test again, and still complain not matched./
Thanks.
You want me to do that on Master? I just did. I can't do that on the client.
Master:
$ puppet master --configprint certname
master (I am using alias name from now on... you see it is not puppetmaster)
$ puppet cert clean master
notice: Revoked certificate with serial 2
notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/ca/signed/master.pem'
notice: Removing file Puppet::SSL::Certificate master at '/var/lib/puppet/ssl/certs/master.pem'
notice: Removing file Puppet::SSL::Key master at '/var/lib/puppet/ssl/private_keysmaster.pem'
$ puppet cert generate --dns_alt_names puppetmaster master
notice: master has a waiting certificate request
notice: Signed certificate request for master
notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/ca/requests/master.pem'
notice: Removing file Puppet::SSL::CertificateRequest master at '/var/lib/puppet/ssl/certificate_requests/master.pem'
Now I see the following in master.pem
X509v3 Subject Alternative Name:
DNS:master, DNS:puppetmaster
But ran the test again, and still complain not matched./
Thanks.
tas
Jun 14, 2012, 4:48:42 PM6/14/12
to puppet...@googlegroups.com
I am instead open a new one. I realize I am making a big mess... Thanks thus far.
Reply all
Reply to author
Forward
0 new messages