Hi, I have a the annoying problem that the puppet master cannot connect
to itself. It fails with:
puppet# puppetd --test
err: Could not retrieve catalog from remote server: SSL_connect returned=1
errno=0 state=SSLv3 read finished A: tlsv1 alert decrypt error
History:
I have had this problem on our old puppet server: puppet.domain.com. It was
annoying but not critical.
Recently I built a new puppet server (on new hardware) with the new name
puppetmaster.domain.com and moved all nodes to that new master
successfully by rsyncing $ssldir, and server=puppetmaster.domain.com and
certdnsnames=puppetmaster.domain.com:puppetmaster:puppet.domain.com:puppet
in puppet.conf. Both puppet.domain.com and puppetmaster.domain.com resolve
to the IP of the new server. See <20110118184147.gf...@wiet.xs4all.net> to
this list for details.
Suddenly I discovered that the puppet agent on this new server could
actually connect to itself. I was very happy.
But then came the time that the old server was dismanteled and I wanted
to give the new server the old hostname: puppet.domain.com: I revoked and
cleaned the old cert of the old host, modified puppet.conf to contain
server=puppet.domain.com, modified Apache to read the new (soon to be
generated) SSLCertificateFile, changed its hostname and rebooted.
After reboot all nodes could connect successfully *except* the puppet
server itself: the old error message was back.
After some digging, I found in $ssldir the following files that were
created around the time that the old puppet server was created:
certs/ca.pem
ca/private/ca.pass
ca/ca_crt.pem
ca/ca_pub.pem
ca/ca_key.pem
certs/ca.pem and ca/ca_crt.pem (which are identical files) both contain:
Issuer: CN=puppet.domain.com
Validity
Not Before: Mar 25 15:51:31 2008 GMT
Not After : Mar 24 15:51:31 2013 GMT
Subject: CN=puppet.domain.com
I imagine I could solve this problem by completely throwing away $ssldir,
letting the puppetmaster recreate it from scratch, but that would mean that
I have to login to each node, remove $ssldir there as well, and sign its
new CSR.
Is there a way to solve this problem without doing that?
Regards,
Robert Scheer
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
