Even the "Simplest Puppet Install Recipe" apparently isn't simple enough

12 views
Skip to first unread message

Mike G.

unread,
Sep 3, 2009, 6:10:25 PM9/3/09
to Puppet Users
I've tried this over and over, and I just cannot get it to work.

I'm trying to do a proof of concept on puppet, so I'm using two CentOS
5.3 systems running in VMs on separate hardware (i.e. the two VMs are
not on the same physical box). I've built the systems from scratch
numerous times, and then pulled down puppet from the rpmforge repo.
In the course of doing so, yum also pulls down the dependencies, which
include facter, ruby and ruby-libs. Everything installs swimmingly.

The box I am using as the server (named vm27) is also running bind and
acting as the name server. The only entries in the domain ("my.net";
yes, it's probably taken on the 'net but I'm running isolated) are
vm27 - 10.192.131.27, and the client - vm33 (10.192.131.33). There is
also a CNAME for 'puppet' which points to vm27.

At this point, I create the /etc/puppet/manifests/site.pp and /etc/
puppet/manifests/classes/sudo.pp files as described at
http://reductivelabs.com/trac/puppet/wiki/SimplestPuppetInstallRecipe.
I then do a 'service start puppetmaster' on vm27. All starts well, as
far as I can tell.

I then go to the client (vm33) and type 'puppetd --verbose'. Below is
the output:

#####

[root@vm33 etc]# puppetd --verbose
info: Creating a new certificate request for vm33.my.net
info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
vm33.my.net.pem
warning: peer certificate won't be verified in this SSL session
notice: Did not receive certificate
notice: Got signed certificate
notice: Starting Puppet client version 0.22.4
err: Could not retrieve configuration: Certificates were not trusted:
hostname not match with the server certificate
err: Could not run Puppet::Network::Client::Master: Cannot connect to
server and there is no cached configuration

#####

I constantly get the error above (about the hostname not matching the
server cert). I've scoured the web for answers, found very few, and
none apparently apply to me.

Is there any chance someone on this list could set me straight on
this? I'd really love to try this product out, but these issues are
beginning to drive me batty.

Thanks
Mike

Trevor Hemsley

unread,
Sep 4, 2009, 7:29:58 AM9/4/09
to puppet...@googlegroups.com

That's a very old version. Better try with 0.24.8 from EPEL instead of
rpmforge.

> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
> err: Could not run Puppet::Network::Client::Master: Cannot connect to
> server and there is no cached configuration
>

Did you sign the cert on the puppet master? puppetca --list then
puppetca --sign vm33.my.net or puppetca --sign --all

--

Trevor Hemsley
Infrastructure Engineer
.................................................
* C A L Y P S O
* Brighton, UK

OFFICE +44 (0) 1273 666 350
FAX +44 (0) 1273 666 351

.................................................
www.calypso.com

This electronic-mail might contain confidential information intended
only for the use by the entity named. If the reader of this message is
not the intended recipient, the reader is hereby notified that any
dissemination, distribution or copying is strictly prohibited.

* P * /*/ Please consider the environment before printing this e-mail /*/

Craig Miskell

unread,
Sep 6, 2009, 4:59:54 PM9/6/09
to puppet...@googlegroups.com

>
> [root@vm33 etc]# puppetd --verbose
> info: Creating a new certificate request for vm33.my.net
> info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/
> vm33.my.net.pem
> warning: peer certificate won't be verified in this SSL session
> notice: Did not receive certificate
> notice: Got signed certificate
> notice: Starting Puppet client version 0.22.4
> err: Could not retrieve configuration: Certificates were not trusted:
> hostname not match with the server certificate
Here's the probable problem. If you've not modified the puppet.conf on the client, it'll be connecting to "puppet"
(non-FQDN) by default. The certificate on the server, however, will by default be the FQDN of the server itself (so
vm27.my.net), which doesn't match "puppet" You have two options:

1) Change puppet.conf on the client, set "servername = vm27.my.net", or
2) On the puppetmaster, edit puppet.conf and set "certname=puppet", stop puppetmaster, delete the certificates
(/var/lib/puppet/ssl/* is effective, if brutal), then start puppetmaster again so it'll regenerate the certificates.

I went with the latter, so that a simple packaged install of the puppet clients will automatically find the server
without having to customise the config file in the package, or otherwise get the config file out to the client. YMMV:
openssl s_client -showcerts -connect puppet:8140
is a useful command to see what the name on the certificate is, if the above doesn't work.

> Thanks
> Mike

Hope that points you in the right direction.

--
Craig Miskell
Senior Systems Administrator
Opus International Consultants
I wish there was a knob on the TV to turn up the intelligence. There's
a knob called "brightness", but it doesn't work.
-- Gallagher

Luke Kanies

unread,
Sep 9, 2009, 7:16:26 PM9/9/09
to puppet...@googlegroups.com

This is necessary for the older versions of puppet, but definitely
shouldn't be necessary for newer versions, and using a blanket
certname setting can cause problems. It's a good idea for older
releases in certain cases, but I don't recommend it unless you have to
use it.

--
When I die, I want go out just like my grandfather, in his sleep,
peaceful and quiet...not kicking and screaming like the other guys in
his car.
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com

Reply all
Reply to author
Forward
0 new messages