I have seen this too; I suspect (but have not been able to reduce a simple test case to confirm) that the ruby-openssl bindings in snow leopard are returning EINVAL (thus the "Invalid argument" string) when called from puppet. But it seems the transaction actually succeeds despite the error. When setting up new puppetd on 10.6.x I see this error at each stage of the certificate generation process: key generation, csr generation, cert submission, but re-running after the error bulls it through. This matches what you show with the revocation, where you got an error message but the cert actually was revoked. Very odd and I would love a way to isolate this outside of puppet and report it to the relevant people as it seems to affect all flavours of 10.6 release thus far.
-=Eric On Jun 15, 2010, at 7:28 AM, Jesse Reynolds wrote: > Hello > > I have a puppetmasterd installation running on a Mac OS X 10.6.3 > Server with puppet installed via macports. > > Earlier today it was happily signing requests, before I upgraded > puppet from 0.24.8 to 0.25.4. Now I get "Invalid argument": > > bash-3.2# puppetca --sign bouti.carbonplanet.com > bouti.carbonplanet.com > err: Could not call sign: Invalid argument > > The only mention I can find on the internets of this error is an IRC > chat on 25 May from bdd: > > http://pelin.lovedthanlost.net/puppet/%23puppet-2010-05-25.log.html > > <bdd> interesting. after an upgrade from 0.25.4 to 0.25.5, puppetca > fails to sign new requests with "err: Could not call sign: Invalid > argument" > <jamesturnbull> bdd: clean upgrade? no old code floating around? > <bdd> jamesturnbull: it wasn't a clean upgrade. that's solved. thanks. > > I used mac ports "port upgrade facter" then "port upgrade puppet", is > this not good enough? > > I've also tried to do a revoke, which seems to work but shows a similar error: > > bash-3.2# puppetca --list --all > + 243.carbonplanet.com > (snip) > > bash-3.2# puppetca --revoke 243.carbonplanet.com > 243.carbonplanet.com > notice: Revoked certificate with serial 14 > err: Could not call revoke: Invalid argument > > bash-3.2# puppetca --list --all > - 243.carbonplanet.com (certificate revoked) > (snip) > > > version: > > bash-3.2# puppetca --version > 0.25.4 > > which: > > bash-3.2# which puppetca > /opt/local/sbin/puppetca > > > debug: > > bash-3.2# puppetca --sign bouti.carbonplanet.com --debug > debug: Failed to load library 'selinux' for feature 'selinux' > debug: Failed to load library 'shadow' for feature 'libshadow' > debug: Puppet::Type::User::ProviderUser_role_add: file rolemod does not exist > debug: Puppet::Type::User::ProviderPw: file pw does not exist > debug: Failed to load library 'ldap' for feature 'ldap' > debug: Puppet::Type::User::ProviderLdap: feature ldap is missing > debug: Puppet::Type::User::ProviderUseradd: file userdel does not exist > debug: Puppet::Type::User::ProviderDirectoryservice: Executing > '/usr/bin/dscl -plist . -list /Users' > debug: Puppet::Type::User::ProviderDirectoryservice: Executing > '/usr/bin/dscl -plist . -read /Users/puppet' > debug: /File[/etc/puppet/ssl/ca/requests]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/etc/puppet/ssl/ca/signed]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/var/puppet/lib]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private]: Autorequiring File[/etc/puppet/ssl] > debug: /File[/var/puppet/log]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/ca]: Autorequiring File[/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/ca/ca_crt.pem]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/etc/puppet/ssl/ca/private]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/etc/puppet/ssl]: Autorequiring File[/etc/puppet] > debug: /File[/etc/puppet/ssl/certificate_requests]: Autorequiring > File[/etc/puppet/ssl] > debug: /File[/var/puppet/facts]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/private_keys]: Autorequiring > File[/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/certs]: Autorequiring File[/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/public_keys]: Autorequiring File[/etc/puppet/ssl] > debug: /File[/etc/puppet/ssl/certs/ca.pem]: Autorequiring > File[/etc/puppet/ssl/certs] > debug: > /File[/etc/puppet/ssl/private_keys/sylvester.adelaide.carbonplanet.com.pem]: > Autorequiring File[/etc/puppet/ssl/private_keys] > debug: /File[/etc/puppet/ssl/ca/inventory.txt]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/var/puppet/state]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/ca/ca_crl.pem]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/var/puppet/run]: Autorequiring File[/var/puppet] > debug: /File[/etc/puppet/ssl/ca/private/ca.pass]: Autorequiring > File[/etc/puppet/ssl/ca/private] > debug: /File[/etc/puppet/ssl/ca/serial]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/etc/puppet/ssl/ca/ca_key.pem]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: /File[/etc/puppet/ssl/ca/ca_pub.pem]: Autorequiring > File[/etc/puppet/ssl/ca] > debug: Finishing transaction 2168470120 with 0 changes > bouti.carbonplanet.com > err: Could not call sign: Invalid argument > > Any ideas anyone? > > Thank you > Jesse > > > -- > > Jesse Reynolds > Carbon Planet Limited - http://www.carbonplanet.com/ > Virtual Artists Pty Ltd - http://www.va.com.au/ > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-us...@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
