elch. Maybe I posted too soon. Figures that I sort of figure it out after being stuck on it for more than a day and finally posting.
I originally generated my CA certs for "puppet.dev", but my CA server was at puppet.dev.ca.mydomain.com, which is what i had set ca_server to. This worked fine on puppet 0.24.8. But now there's some check that fails in ssl.rb when ca_server doesn't match the DNS's in the ca cert. Do a quick switch of ca_server to "puppet.dev" (combined with more /etc/host hackery) and the plugins sync. Not only that, it adds crl.pem to /etc/puppet/ssl. I found that I could take crl.pem and put it in $ssldir on another newly upgraded 0.25.2 client, and I wouldn't have to change ca_server. So, it seems that there was some change that makes the plugninsync require crl.pem in 0.25.2 when it didn't before, but my client can't grab that file unless some hostnames/DNS names all line up properly. I might play around a bit more to look for a more graceful "fix", don't know if maybe there's something I can change in auth.conf or something. Still mostly stabbing in the dark though. This will probably already be good enough. On Jan 11, 4:01 pm, Clarence Tso <clarence...@gmail.com> wrote: > I've found it difficult to upgrade from 0.24.8 to 0.25.2. Things are > great after I only upgrade the master to 0.25.2, but once the client > gets switched to 0.25.2, I can't sync plugins/facts anymore. The > error seems to indicate that it's some SSL issue. Any suggestions > would be appreciated, as my inability to understand SSL properly > despite trying numerous times is astounding. > > My setup is probably a bit unorthodox. Apache + Mongrel, all my > masters have identical certificates (literally copied) with CN > "puppet.dev", but each is in a different datacenter (e.g. > puppet.dev.us.mydomain.com). Individual machines have its "server" > directive set to "puppet.dev" so that it could connect to any master, > but a machine is specifically connected to the proper master by using > the LOCALDOMAIN environment variable when puppetd is run. (so > something like "LOCALDOMAIN=us.mydomain.com puppetd -vt". An > individual puppetmaster will have its hostname set to the fqdn (e.g. > puppet.dev.us.mydomain.com). > > This used to work in 0.24.8, but once I upgrade the client to 0.25.2, > the pluginsync no longer works. Everything else in terms of executing > the actual recipes connect and execute, so it doesn't seem like the > certificates have an inherent problem. It seems the pluginsync > mechanism has changed, and those specific files don't sync between the > master/client anymore (before the actual configuration run). > > Here is the output from the client on -vdt mode: > > debug: Failed to load library 'selinux' for feature 'selinux' > debug: Puppet::Type::User::ProviderLdap: true value when expecting > false > debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ > dscl does not exist > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does > not exist > debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ > state] > debug: /File[/etc/puppet/ssl/private_keys/ > ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ > puppet/ssl/private_keys] > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/public_keys/ > ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ > puppet/ssl/public_keys] > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /File[/etc/puppet/ssl/ > csr_ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/ > etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ > ssl] > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ > puppet/ssl] > debug: /File[/etc/puppet/ssl/certs/ > ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ > puppet/ssl/certs] > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ > puppet/ssl/certs] > debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ > puppet] > debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ > puppet/state] > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File > [/etc/puppet/ssl] > debug: Finishing transaction -606854728 with 0 changes > debug: Using cached certificate for ca, good until Mon Jun 30 05:34:58 > UTC 2014 > debug: Using cached certificate for > ec2-67-202-4-164.compute-1.amazonaws.com, good until Thu Jan 08 > 01:21:20 UTC 2015 > debug: Loaded state in 0.01 seconds > info: Retrieving plugin > debug: Using cached certificate for ca, good until Mon Jun 30 05:34:58 > UTC 2014 > debug: Using cached certificate for > ec2-67-202-4-164.compute-1.amazonaws.com, good until Thu Jan 08 > 01:21:20 UTC 2015 > err: /File[/var/puppet/lib]: Failed to generate additional resources > using 'eval_generate': hostname was not match with the server > certificate > debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw > yaml; using marshal > debug: Finishing transaction -607092328 with 0 changes > ....and a bunch of lines executing the recipes that only worked > because the plugins were already synced back when the machine was on > puppet 0.24.8 > > Since the error complains about hostname not matching the certificate, > I tried changing the server's hostname to "puppet.dev" and rebooting > the master but still no luck. > > Thanks, > Clarence
-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
