On Wed, Jul 27, 2011 at 2:10 PM, Douglas Garstang <doug.garst...@gmail.com>wrote:
> On Wed, Jul 27, 2011 at 2:01 PM, Jacob Helwig <ja...@puppetlabs.com>wrote: > >> On Wed, 27 Jul 2011 13:58:25 -0700, Douglas Garstang wrote: >> > >> > All, >> > >> > I'm upgrading puppet clients from 0.25.5 to 2.7.1. I've rolled an RPM >> for >> > the new version, and I'm: >> > >> > 1. Stopping puppet >> > 2. Upgrading RPM >> > 3. Change the puppet master on the client to point to a new puppet >> master >> > running 2.7.1. >> > 3. Starting puppet >> > >> > I am seeing this in the log files on the client: >> > >> > Could not evaluate: certificate verify failed Could not retrieve file >> > metadata for puppet://hprov01.h.xxx.com/plugins: certificate verify >> failed >> > Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could not retrieve >> > catalog from remote server: certificate verify failed >> > Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Using cached >> catalog >> > Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could not send >> report: >> > certificate verify failed >> > Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could not run >> Puppet >> > configuration client: interning empty string >> > >> > After stopping puppet again, removing /var/lib/puppet/ssl and restarting >> > puppet, all is ok. Why do I need to blow away the client side certs? I >> > recently upgraded 0.25.5 to 2.6.8, and I don't believe I had to do this. >> I >> > have a couple of hundred servers to upgrade, and I don't want to have to >> > remove all the client side ssl directories as part of the upgrade >> process. >> > >> > Doug. >> > >> >> It sounds like you have a new server with 2.7.1, in addition to your old >> server. Did you copy over the master certificates to the new 2.7.1 >> master from the old one? >> >> If the new 2.7.1 master had generated a new certificate, I would expect >> to get the errors you're seeing. >> >> -- >> > > Oh, and which files under /var/lib/puppet/ssl on the server would be the > relevant master certs? > > Doug. > > Hmmm..... that's not going to work, since the host names of the servers are different, and therefore, so are the cert names. Now I'm really confused. Since the client can't have knowledge of two servers, this means that if things go south, and I have to switch the client back to the original master, that I will have to remove the certs again. There's got to be an easier way. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
