I ran into a similar issue today and I thought I would share. My co-woker kickstarted a server, puppet gets installed in the kickstart with the appropriate configs. Puppet is responsible for installing and configuring numerous packages and services. It would try to get the cert, and puppetmaster would sign it perfectly fine. However, the client would not trust it. I read around a bunch and nothing came to mind, I was moving the ssl dir and deleting it on the client. Nothing. Finally I checked the date. The client-servers' date (newly kickstarted) was way out of sync. Way before the certificate on the puppetmaster was created even. I set the time appropriately and everything worked as expected.
To remedy this I added a line in the kickstart file that is generated from a template to set a date, (at least the clock will be somewhat closer than two years behind) -jason On Jan 13, 7:30 pm, "Ohad Levy" <ohadl...@gmail.com> wrote: > This error is printed from the client - e.g. the client doesn't trust the > server.. > > It is possible to make it work with your setup, however I would not > recommend to work this way, either have an external CA that signs for all > puppetmasters, or use certificate chain, it simplifies the setup and > troubleshooting... > > Cheers, > Ohad > > On Wed, Jan 14, 2009 at 10:04 AM, Amos Shapira <amos.shap...@gmail.com>wrote: > > > > > Oops. Replying to my own post, after re-reading one of the messages in > > this group a few more times (http://groups.google.com/group/puppet- > > users/msg/559819ffc956337e<http://groups.google.com/group/puppet-users/msg/559819ffc956337e>) > > while waiting for my experiments to run I > > finally realised that it's relevant to my too. > > > It turned out that the $fileserver and $urlbase were still pointing to > > the other server (ds501). So I think what happened is that ds502 got > > the certificate request, I signed it, then the puppet clients accessed > > it, got hold of the manifests and even the templates, but they tried > > to fetch the files from ds501 (the "working" server) which didn't > > recognise the client certificate and refused access. Once we fixed > > $fileserver to point to the right server things started dancing again. > > > TAKE AWAY from this (and other tackles by puppet problems): PLEASE > > make it clear in the log messages where they are coming from and what > > they complain about - is this error printed bythe puppet master? the > > puppet client? Which host name? What string did it see in the > > certificate vs. what did it expect? > > > Thanks. > > > --Amos --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
