Problem with puppet-agent
90 views
Skip to first unread message
mfons
Aug 8, 2012, 11:51:31 AM8/8/12
to Puppet Users, soport...@sothis-ti.com, vale...@redhat.com
On client:
[root@xxx ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
[root@xxx ~]# rpm -qa|grep puppet
puppet-2.6.12-1.el5
On server:
[root@server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
[root@server ~]# rpm -qa|grep puppet
puppet-server-2.6.12-1.el5
puppet-2.6.12-1.el5
[root@server ~]#
Puppet agent runs on client every 30 minutes, as usual.
Sometimes, it fails with messages:
Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL key for
xxx.domain.com
Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL
certificate request for xxx.domain.com
Aug 8 17:30:04 xxx puppet-agent[10416]: Certificate Request
fingerprint (md5): 51:BA:28:EA:61:2B:1C:3B:42:64:48:9E:26:0F:28:F9
Aug 8 17:30:05 xxx puppet-agent[10416]: Could not request
certificate: Error 400 on SERVER: Could not find certificate request
for xxx2.domain.com
We have autosign configured in puppetmaster, because we need to run
puppet client on nodes totally unattended (we might provision a new or
existing node at anytime)
The problem is that sometimes when a client runs puppetagent, it fails
requesting a certificate that does not own.
For exemple: client xxx.domain.com generates a new certificate, that
request to sign by the puppetmaster and then it fails because it does
not find the request of a certificate for xxx2.domain.com.
Maybe, next time, when puppetagent runs again, it success, or it fails
again, there is not a rule.
We have a script on server and client that deletes client certificates
stored in /var/lib/puppet...... that runs every hour. We need this
because we can provision a node with same hostname at anytime and if
there was an old certificate on server with the same name it will
fail. This is because we have autosign set to yes in puppetmaster.
[root@xxx ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
[root@xxx ~]# rpm -qa|grep puppet
puppet-2.6.12-1.el5
On server:
[root@server ~]# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 5.7 (Tikanga)
[root@server ~]# rpm -qa|grep puppet
puppet-server-2.6.12-1.el5
puppet-2.6.12-1.el5
[root@server ~]#
Puppet agent runs on client every 30 minutes, as usual.
Sometimes, it fails with messages:
Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL key for
xxx.domain.com
Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL
certificate request for xxx.domain.com
Aug 8 17:30:04 xxx puppet-agent[10416]: Certificate Request
fingerprint (md5): 51:BA:28:EA:61:2B:1C:3B:42:64:48:9E:26:0F:28:F9
Aug 8 17:30:05 xxx puppet-agent[10416]: Could not request
certificate: Error 400 on SERVER: Could not find certificate request
for xxx2.domain.com
We have autosign configured in puppetmaster, because we need to run
puppet client on nodes totally unattended (we might provision a new or
existing node at anytime)
The problem is that sometimes when a client runs puppetagent, it fails
requesting a certificate that does not own.
For exemple: client xxx.domain.com generates a new certificate, that
request to sign by the puppetmaster and then it fails because it does
not find the request of a certificate for xxx2.domain.com.
Maybe, next time, when puppetagent runs again, it success, or it fails
again, there is not a rule.
We have a script on server and client that deletes client certificates
stored in /var/lib/puppet...... that runs every hour. We need this
because we can provision a node with same hostname at anytime and if
there was an old certificate on server with the same name it will
fail. This is because we have autosign set to yes in puppetmaster.
jcbollinger
Aug 8, 2012, 5:51:14 PM8/8/12
to puppet...@googlegroups.com, vale...@redhat.com
Those certificate removal scripts sound awfully suspicious. My first guess would be that occasionally the client-side script happens to trigger after the client has created its CSR but before it gets the signed certificate back from the master. I would expect trouble to arise also when clients' certificates are removed from the master before they are removed from the client, so that the client attempts to use a certificate that the master no longer recognizes.
Why do you need to be so aggressive about deleting certificates? Certificates should never need to be deleted from clients except possibly as part of a complete rebuild. Client certificates only need to be deleted from the master when you provision a new machine. The latter should be incorporated into your provisioning process.
John
Why do you need to be so aggressive about deleting certificates? Certificates should never need to be deleted from clients except possibly as part of a complete rebuild. Client certificates only need to be deleted from the master when you provision a new machine. The latter should be incorporated into your provisioning process.
John
Denmat
Aug 8, 2012, 6:14:39 PM8/8/12
to puppet...@googlegroups.com
This sounds like a risky process to me.
Wiping out your certs sounds like a hammer.
Not sure how you are provisioning your nodes but even ssh call to the master during the provisioning to remove the cert (if it exists) would be preferable.
Maybe you could look at alternatives, like generating a uuid for your cert names and then removing those hosts that haven't checked in after a determined period (using puppet cert --clean). Check google for more info (I'm currently in transit).
Cheers,
Den
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Wiping out your certs sounds like a hammer.
Not sure how you are provisioning your nodes but even ssh call to the master during the provisioning to remove the cert (if it exists) would be preferable.
Maybe you could look at alternatives, like generating a uuid for your cert names and then removing those hosts that haven't checked in after a determined period (using puppet cert --clean). Check google for more info (I'm currently in transit).
Cheers,
Den
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To post to this group, send email to puppet...@googlegroups.com.
> To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
>
Reply all
Reply to author
Forward
0 new messages