I have the following snippet I am using to test with the puppet command
node host1 {
file { "/var/www/target":
path => "/var/www/target",
mode => 570,
owner => apache,
group => wheel,
ensure => directory,
recurse => inf,
sourceselect => all,
source => [
"puppet://host2.fully.qualified.tld/target_results/recent"
],
}
}
I run this on host1 with the command
puppet --verbose --server host1.fully.qualified.tld test.pp | more
and the error I get is
err: //Node[host1]/File[/var/www/target]: Failed to generate additional
resources during transaction: Certificates were not trusted: tlsv1 alert
unknown ca
err: //Node[host1]/File[/var/www/target]: Failed to retrieve current state
of resource: Certificates were not trusted: tlsv1 alert unkown ca Could not
descript /target_results/recent: /etc/puppet/test.pp:16
if I change host1 to host1 in the source array, it works. If I list both,
it will produce more or less the same results if host2 is listed first, but
it will pull the host1 results before printing the error if host1 is listed
first.
in the above output and snippet, I have changed the hostnames, but yes, I
have verfied that I am using the fqdn, and that it is spelled correctly. My
hosts are on a closed network, so I've had to transfer the output by hand.
Thanks!
Luke
On Thu, Sep 24, 2009 at 2:52 AM, Ohad Levy <ohadl...@gmail.com> wrote:
> Yes it should, are you sure you contact the second puppetmaster with its
> FQDN? e.g.
>
> source =>
> puppet://second.foor.com/module/file/..<http://second.foor.com/module/>
> ..
>
> Ohad
>
>
> On Thu, Sep 24, 2009 at 2:26 PM, Luke Schierer <luke.schie...@gmail.com>wrote:
>
>>
>> The secondaries are each clients of the first one. Does the
>> puppetmaster process use the same certificate as puppetd?
>>
>> Luke
>>
>> On Sep 23, 2009, at 21:38 EDT, Ohad Levy wrote:
>>
>> > Did you try signing your secondary puppet master as a client of the
>> > first one?
>> >
>> > make sure you use fqdn when referring to the second one, as its
>> > certificate would be valid to "puppet" or its fqdn.
>> >
>> > Ohad
>> >
>> > On Thu, Sep 24, 2009 at 4:37 AM, lschiere <luke.schie...@gmail.com>
>> > wrote:
>> >
>> > I have tried copying over the contents of the /var/lib/puppet/ssl/ca
>> > directory, but apparently something with in it is specific to the
>> > host, such it then complains that the certificates and keys do not
>> > match. I also saw
>> http://reductivelabs.com/trac/puppet/wiki/MultipleCertificateAuthorities
>> > ,
>> > but I do not want to put apache on each host. With cfengine2, it was
>> > very simple to have cfservd running on each host, distribute the keys
>> > to each, and then pull result files from the clients to the central
>> > server. I cannot seem to find an example of a similar setup with
>> > puppet.
>> >
>> > Luke
>> >
>> > On Sep 22, 4:30 pm, Luke Schierer <luke.schie...@gmail.com> wrote:
>> > > On Sat, Sep 19, 2009 at 7:53 AM, Luke Schierer
>> > <luke.schie...@gmail.com>wrote:
>> > >
>> > >
>> > >
>> > >
>> > >
>> > > > On Sep 19, 2009, at 05:11 EDT, Peter Meier wrote:
>> > >
>> > > >> The standard way to do that is:
>> > > >>>> source =>
>> > > >>>>
>> ["puppet:///foo/file-$hostname","puppet:///foo/file-$lsbdistcodename
>> > > >>>> ","puppet:///foo/file"]
>> > > >>>> - check for modules/foo/file-www4, then file-jaunty, then file
>> > >
>> > > >>>> * sourceselect:
>> > >
>> > > >> Whether to copy all valid sources, or just the first one. This
>> > parameter
>> > > >> is only used in recursive copies; by default, the first valid
>> > source is
>> > > >> the only one used as a recursive source, but if this parameter
>> > is set to
>> > > >> all, then all valid sources will have all of their contents
>> > copied to
>> > > >> the local host, and for sources that have the same file, the
>> > source
>> > > >> earlier in the list will be used. Valid values are first, all.
>> > >
>> > > >> So you can have both variants.
>> > >
>> > > >> cheers pete
>> > >
>> > > > When I tried to do this with
>> > >
>> > > source => [ 'puppet://host1/files/target','puppet://host2/files/
>> > target']
>> > > it works fine for the first host, which acts as the puppetmaster,
>> > but not
>> > > for the second one. It complains about an unknown CA.
>> > >
>> > > I realize that this is because the CA certificates differ on the
>> > two hosts,
>> > > and the certificate puppet is using to pull files is only signed
>> > by one of
>> > > the two, the one it gets its configuration from.
>> > >
>> > > Is there a key or keys I can distribute to each node so that I can
>> > pull
>> > > files from all of them?
>> > >
>> > > Thanks!
>> > >
>> > > Luke- Hide quoted text -
>> > >
>> > > - Show quoted text -
>> >
>> >
>> >
>> > >
>>
>>
>>
>>
>
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
