-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 You might just want to go with a full CA hierarchy as explained in the scalability guide.
I think that many of your headaches would go away. reductivelabs.com/trac/puppet/wiki/PuppetScalability Trevor On 01/11/2010 05:32 PM, Clarence Tso wrote: > elch. Maybe I posted too soon. Figures that I sort of figure it out > after being stuck on it for more than a day and finally posting. > > I originally generated my CA certs for "puppet.dev", but my CA server > was at puppet.dev.ca.mydomain.com, which is what i had set ca_server > to. This worked fine on puppet 0.24.8. But now there's some check > that fails in ssl.rb when ca_server doesn't match the DNS's in the ca > cert. Do a quick switch of ca_server to "puppet.dev" (combined with > more /etc/host hackery) and the plugins sync. Not only that, it adds > crl.pem to /etc/puppet/ssl. I found that I could take crl.pem and put > it in $ssldir on another newly upgraded 0.25.2 client, and I wouldn't > have to change ca_server. So, it seems that there was some change > that makes the plugninsync require crl.pem in 0.25.2 when it didn't > before, but my client can't grab that file unless some hostnames/DNS > names all line up properly. > > I might play around a bit more to look for a more graceful "fix", > don't know if maybe there's something I can change in auth.conf or > something. Still mostly stabbing in the dark though. This will > probably already be good enough. > > On Jan 11, 4:01 pm, Clarence Tso <clarence...@gmail.com> wrote: >> I've found it difficult to upgrade from 0.24.8 to 0.25.2. Things are >> great after I only upgrade the master to 0.25.2, but once the client >> gets switched to 0.25.2, I can't sync plugins/facts anymore. The >> error seems to indicate that it's some SSL issue. Any suggestions >> would be appreciated, as my inability to understand SSL properly >> despite trying numerous times is astounding. >> >> My setup is probably a bit unorthodox. Apache + Mongrel, all my >> masters have identical certificates (literally copied) with CN >> "puppet.dev", but each is in a different datacenter (e.g. >> puppet.dev.us.mydomain.com). Individual machines have its "server" >> directive set to "puppet.dev" so that it could connect to any master, >> but a machine is specifically connected to the proper master by using >> the LOCALDOMAIN environment variable when puppetd is run. (so >> something like "LOCALDOMAIN=us.mydomain.com puppetd -vt". An >> individual puppetmaster will have its hostname set to the fqdn (e.g. >> puppet.dev.us.mydomain.com). >> >> This used to work in 0.24.8, but once I upgrade the client to 0.25.2, >> the pluginsync no longer works. Everything else in terms of executing >> the actual recipes connect and execute, so it doesn't seem like the >> certificates have an inherent problem. It seems the pluginsync >> mechanism has changed, and those specific files don't sync between the >> master/client anymore (before the actual configuration run). >> >> Here is the output from the client on -vdt mode: >> >> debug: Failed to load library 'selinux' for feature 'selinux' >> debug: Puppet::Type::User::ProviderLdap: true value when expecting >> false >> debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/ >> dscl does not exist >> debug: Puppet::Type::User::ProviderPw: file pw does not exist >> debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does >> not exist >> debug: /File[/var/puppet/client_yaml]: Autorequiring File[/var/puppet] >> debug: /File[/var/puppet/state/state.yaml]: Autorequiring File[/var/ >> puppet/state] >> debug: /File[/var/puppet/state/graphs]: Autorequiring File[/var/puppet/ >> state] >> debug: /File[/etc/puppet/ssl/private_keys/ >> ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ >> puppet/ssl/private_keys] >> debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ >> ssl] >> debug: /File[/etc/puppet/ssl/public_keys/ >> ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ >> puppet/ssl/public_keys] >> debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] >> debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring File[/etc/ >> puppet/ssl] >> debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] >> debug: /File[/etc/puppet/ssl/ >> csr_ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/ >> etc/puppet/ssl] >> debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ >> ssl] >> debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/ >> puppet/ssl] >> debug: /File[/etc/puppet/ssl/certs/ >> ec2-67-202-4-164.compute-1.amazonaws.com.pem]: Autorequiring File[/etc/ >> puppet/ssl/certs] >> debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring File[/etc/ >> puppet/ssl/certs] >> debug: /File[/etc/puppet/puppet.conf]: Autorequiring File[/etc/puppet] >> debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] >> debug: /File[/var/puppet/clientbucket]: Autorequiring File[/var/ >> puppet] >> debug: /File[/var/puppet/state/classes.txt]: Autorequiring File[/var/ >> puppet/state] >> debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] >> debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] >> debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring File >> [/etc/puppet/ssl] >> debug: Finishing transaction -606854728 with 0 changes >> debug: Using cached certificate for ca, good until Mon Jun 30 05:34:58 >> UTC 2014 >> debug: Using cached certificate for >> ec2-67-202-4-164.compute-1.amazonaws.com, good until Thu Jan 08 >> 01:21:20 UTC 2015 >> debug: Loaded state in 0.01 seconds >> info: Retrieving plugin >> debug: Using cached certificate for ca, good until Mon Jun 30 05:34:58 >> UTC 2014 >> debug: Using cached certificate for >> ec2-67-202-4-164.compute-1.amazonaws.com, good until Thu Jan 08 >> 01:21:20 UTC 2015 >> err: /File[/var/puppet/lib]: Failed to generate additional resources >> using 'eval_generate': hostname was not match with the server >> certificate >> debug: file_metadata supports formats: b64_zlib_yaml marshal pson raw >> yaml; using marshal >> debug: Finishing transaction -607092328 with 0 changes >> ....and a bunch of lines executing the recipes that only worked >> because the plugins were already synced back when the machine was on >> puppet 0.24.8 >> >> Since the error complains about hostname not matching the certificate, >> I tried changing the server's hostname to "puppet.dev" and rebooting >> the master but still no luck. >> >> Thanks, >> Clarence - -- Trevor Vaughan Vice President, Onyx Point, Inc. email: tvaug...@onyxpoint.com phone: 410-541-ONYX (6699) - -- This account not approved for unencrypted sensitive information -- -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iEYEARECAAYFAktLx8YACgkQyWMIJmxwHpTzLACgg9ic8wZBQMfKpoizCTT4JrPv h8oAoLtBEmMGf9YaeMUUOGcX7sqFvfqy =nlgN -----END PGP SIGNATURE-----
-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
