I've been wrestling to get the puppet ca server to sign client certs and have them successfully reconnect later. I think I've done: find /var/lib/puppet/ -type f -delete ; sudo find /etc/puppet/ssl -type f -delete ; sudo /usr/sbin/puppetd --server puppet -d -o --no-daemonize --waitforcert 2 ...to all my hosts at least 10 times now.
Occasionally I get the: err: Could not retrieve catalog from remote server: undefined method `closed?' for nil:NilClass ...which, if I simply restart puppetmasterd, resolves the issue for a given host. In debugging all of this, I had to come up with a way to detect hosts out of sync--ie hosts that should have had an update, but for whatever reason are unable to fetch or apply their catalog. What I've been doing is to distribute /etc/sudoers via puppet, make a change to sudoers (which happens naturally anyway), wait for the client poll interval to pass(actually 2x the poll interval), then run through the fleet looking for out of date md5sums of /etc/sudoers to flag a host that is having puppet agent problems. I am in cert hell, but I'm faithful that I can climb out of this hell. Is there any tool on the server side that could help indicate failing puppet agents? cfengine had --last-seen and displayed how long since an agent had successfully pulled down cf files. If not tools, what in the logs could I use to write my own tool? -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
