"no certificate found and waitforcert is disabled" on all new puppet clients
9,530 views
Skip to first unread message
paul matthews
Dec 14, 2009, 6:36:05 AM12/14/09
to puppet...@googlegroups.com
Hi,
--
Paul Matthews
----------------------------------------------------------------------
I'm not too sure why this has cropped up after working fine for months but on new clients I get the following errors:-
# puppetd --test
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
Most of the articles I've read suggest a much earlier bug. As it's a closed test environment I've set autosign = true in /etc/puppet.conf
Does anyone know how I get round this. Clients are running 0.25.1, server = 0.24.8
Thanks
Paul
Paul Matthews
----------------------------------------------------------------------
Ohad Levy
Dec 14, 2009, 6:37:11 AM12/14/09
to puppet...@googlegroups.com
server must be newer or equal to the clients......
Ohad
Ohad
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
paul matthews
Dec 14, 2009, 12:09:40 PM12/14/09
to puppet...@googlegroups.com
Thanks Ohad for pointing this out - schoolboy error on my part.
--
Paul Matthews
----------------------------------------------------------------------
Unfortunately, this has not fixed things - both server and client are running 25.1.
Do you know of anything else that may be causing this
Thanks
server must be newer or equal to the clients......
Ohad
On Mon, Dec 14, 2009 at 7:36 PM, paul matthews <paulsm...@googlemail.com> wrote:
Hi,I'm not too sure why this has cropped up after working fine for months but on new clients I get the following errors:-
Thanks
# puppetd --testwarning: peer certificate won't be verified in this SSL sessionwarning: peer certificate won't be verified in this SSL sessionwarning: peer certificate won't be verified in this SSL sessionExiting; no certificate found and waitforcert is disabledMost of the articles I've read suggest a much earlier bug. As it's a closed test environment I've set autosign = true in /etc/puppet.confDoes anyone know how I get round this. Clients are running 0.25.1, server = 0.24.8ThanksPaul--
Paul Matthews
----------------------------------------------------------------------
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
--
Paul Matthews
----------------------------------------------------------------------
paul matthews
Dec 15, 2009, 8:39:54 AM12/15/09
to puppet...@googlegroups.com
After further investigation it seems the problem exists with new 0.25.1 clients
--
Paul Matthews
----------------------------------------------------------------------
On the server I run:-
puppetca --clean client.hostname
On the client I run :-
rm /etc/puppet/ssl/certs/client.hostname.pem
Followed by the command that brings up the error
# /opt/csw/bin/puppetd --trace --debug --test --factsync --server server.hostname.com
debug: Failed to load library 'shadow' for feature 'libshadow'
debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist
debug: Puppet::Type::User::ProviderPw: file pw does not exist
debug: Failed to load library 'ldap' for feature 'ldap'
debug: Puppet::Type::User::ProviderLdap: feature ldap is missing
debug: /File[/var/puppet/run/puppetd.pid]: Autorequiring File[/var/puppet/run]
debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet]
debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/puppet/ssl/certs]
debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/private_keys/client.hostname.com.pem]: Autorequiring File[/etc/puppet/ssl/private_keys]
debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/state]
debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet]
debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet]
debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl]
debug: /File[/etc/puppet/ssl/public_keys/client.hostname.com.pem]: Autorequiring File[/etc/puppet/ssl/public_keys]
debug: Finishing transaction 75308830 with 0 changes
debug: Using cached certificate for ca
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate_request for client.hostname.com
debug: Using cached certificate for ca
warning: peer certificate won't be verified in this SSL session
debug: Using cached certificate for ca
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
I'm afraid it has me really stumped for ideas though
Paul
2009/12/14 paul matthews <paulsm...@googlemail.com>
--
Paul Matthews
----------------------------------------------------------------------
Silviu Paragina
Dec 15, 2009, 10:36:23 AM12/15/09
to puppet...@googlegroups.com
This looks a lot like this problem:
http://projects.reductivelabs.com/issues/2890
Have you tried rm -rf /etc/puppet/ssl on the client? Or you are avoiding
exactly that?
In 0.25.1 puppet seems to force the usage of the cached certificates
despite the fact that some of the data may be wrong, so you should try
to clean the ca certificate (in case the ca certificate changed), the
certificate request and as a last resort the private key. All this is
done by the above rm. (not sure if you knew all that so that's why I'm
mentioning).
Silviu
paul matthews wrote:
> After further investigation it seems the problem exists with new
> 0.25.1 clients
>
> On the server I run:-
> puppetca --clean client.hostname
>
> On the client I run :-
> rm /etc/puppet/ssl/certs/client.hostname.pem
>
> Followed by the command that brings up the error
>
> # /opt/csw/bin/puppetd --trace --debug --test --factsync --server
> server.hostname.com <http://server.hostname.com>
> <http://client.hostname.com>
> <mailto:puppet...@googlegroups.com>.
> <mailto:puppet-users%2Bunsu...@googlegroups.com>.
> <mailto:puppet-users%2Bunsu...@googlegroups.com>.
http://projects.reductivelabs.com/issues/2890
Have you tried rm -rf /etc/puppet/ssl on the client? Or you are avoiding
exactly that?
In 0.25.1 puppet seems to force the usage of the cached certificates
despite the fact that some of the data may be wrong, so you should try
to clean the ca certificate (in case the ca certificate changed), the
certificate request and as a last resort the private key. All this is
done by the above rm. (not sure if you knew all that so that's why I'm
mentioning).
Silviu
paul matthews wrote:
> After further investigation it seems the problem exists with new
> 0.25.1 clients
>
> On the server I run:-
> puppetca --clean client.hostname
>
> On the client I run :-
> rm /etc/puppet/ssl/certs/client.hostname.pem
>
> Followed by the command that brings up the error
>
> # /opt/csw/bin/puppetd --trace --debug --test --factsync --server
> debug: Using cached certificate for ca
> warning: peer certificate won't be verified in this SSL session
> debug: Using cached certificate for ca
> warning: peer certificate won't be verified in this SSL session
> Exiting; no certificate found and waitforcert is disabled
>
> I'm afraid it has me really stumped for ideas though
>
> Paul
>
> 2009/12/14 paul matthews <paulsm...@googlemail.com
> <mailto:paulsm...@googlemail.com>>
> warning: peer certificate won't be verified in this SSL session
> debug: Using cached certificate for ca
> warning: peer certificate won't be verified in this SSL session
> Exiting; no certificate found and waitforcert is disabled
>
> I'm afraid it has me really stumped for ideas though
>
> Paul
>
> 2009/12/14 paul matthews <paulsm...@googlemail.com
>
> Thanks Ohad for pointing this out - schoolboy error on my part.
> Unfortunately, this has not fixed things - both server and client
> are running 25.1.
> Do you know of anything else that may be causing this
>
> Thanks
> Paul
>
> 2009/12/14 Ohad Levy <ohad...@gmail.com <mailto:ohad...@gmail.com>>
> Thanks Ohad for pointing this out - schoolboy error on my part.
> Unfortunately, this has not fixed things - both server and client
> are running 25.1.
> Do you know of anything else that may be causing this
>
> Thanks
> Paul
>
>
> server must be newer or equal to the clients......
>
> Ohad
>
> On Mon, Dec 14, 2009 at 7:36 PM, paul matthews
> <paulsm...@googlemail.com
> server must be newer or equal to the clients......
>
> Ohad
>
> On Mon, Dec 14, 2009 at 7:36 PM, paul matthews
> <paulsm...@googlemail.com
> <mailto:puppet-users%2Bunsu...@googlegroups.com>.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
>
> You received this message because you are subscribed to the
> Google Groups "Puppet Users" group.
> To post to this group, send email to
> puppet...@googlegroups.com
> <mailto:puppet...@googlegroups.com>.
> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
>
> You received this message because you are subscribed to the
> Google Groups "Puppet Users" group.
> To post to this group, send email to
> puppet...@googlegroups.com
> <mailto:puppet-users%2Bunsu...@googlegroups.com>.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>
>
> --
> Paul Matthews
> ----------------------------------------------------------------------
>
>
>
>
> --
> Paul Matthews
> ----------------------------------------------------------------------
>
> http://groups.google.com/group/puppet-users?hl=en.
>
>
>
>
> --
> Paul Matthews
> ----------------------------------------------------------------------
>
>
>
>
> --
> Paul Matthews
> ----------------------------------------------------------------------
>
paul matthews
Dec 15, 2009, 10:48:51 AM12/15/09
to puppet...@googlegroups.com
Silviu,
--
Paul Matthews
----------------------------------------------------------------------
That fixed it. I had assumed removing the .pem file ( /etc/puppet/ssl/certs/client.hostname.pem ) would be enough but removing the whole directory was the answer
Thanks very much
--
Paul Matthews
----------------------------------------------------------------------
Reply all
Reply to author
Forward
0 new messages