Funny you should mention that. I have been playing around with
separating the
puppetmaster config from the agent config. See here:
http://agawamtech.com/blog/?p=383
You could probably do something similar, and it would allow you to
switch the agent from one master to another.
--
vagn
On 07/27/2011 05:13 PM, Douglas Garstang wrote:
On Wed, Jul 27, 2011 at 2:10 PM, Douglas Garstang
<doug.garst...@gmail.com <mailto:doug.garst...@gmail.com>> wrote:
On Wed, Jul 27, 2011 at 2:01 PM, Jacob Helwig
<ja...@puppetlabs.com <mailto:ja...@puppetlabs.com>> wrote:
On Wed, 27 Jul 2011 13:58:25 -0700, Douglas Garstang wrote:
>
> All,
>
> I'm upgrading puppet clients from 0.25.5 to 2.7.1. I've
rolled an RPM for
> the new version, and I'm:
>
> 1. Stopping puppet
> 2. Upgrading RPM
> 3. Change the puppet master on the client to point to a new
puppet master
> running 2.7.1.
> 3. Starting puppet
>
> I am seeing this in the log files on the client:
>
> Could not evaluate: certificate verify failed Could not
retrieve file
> metadata for puppet://hprov01.h.xxx.com/plugins
<http://hprov01.h.xxx.com/plugins>: certificate verify failed
> Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could
not retrieve
> catalog from remote server: certificate verify failed
> Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Using
cached catalog
> Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could
not send report:
> certificate verify failed
> Jul 27 13:53:54 hsqlstor04p1-old puppet-agent[9468]: Could
not run Puppet
> configuration client: interning empty string
>
> After stopping puppet again, removing /var/lib/puppet/ssl
and restarting
> puppet, all is ok. Why do I need to blow away the client
side certs? I
> recently upgraded 0.25.5 to 2.6.8, and I don't believe I had
to do this. I
> have a couple of hundred servers to upgrade, and I don't
want to have to
> remove all the client side ssl directories as part of the
upgrade process.
>
> Doug.
>
It sounds like you have a new server with 2.7.1, in addition
to your old
server. Did you copy over the master certificates to the new
2.7.1
master from the old one?
If the new 2.7.1 master had generated a new certificate, I
would expect
to get the errors you're seeing.
--
Oh, and which files under /var/lib/puppet/ssl on the server would
be the relevant master certs?
Doug.
Hmmm..... that's not going to work, since the host names of the
servers are different, and therefore, so are the cert names. Now I'm
really confused. Since the client can't have knowledge of two servers,
this means that if things go south, and I have to switch the client
back to the original master, that I will have to remove the certs
again. There's got to be an easier way.
Doug.
--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.