So,I made a stupid move this morning I'm trying to correct. While
trying to getthe puppet master to config itself, i moved its certs
sideways, and regenerated. Durring this time i did a ntp sync and
found i was about 2 seconds off. This little test failed and I
decided I had a better way to do it(manual puppet apply's are safer
for me for this.. currently), so I put the "original" certs back in
place, and restarted. Existing clients are fine since they have signed
certs, however new clients (i cleaned a cert to "force' a new client)
cannot get their cert verified. The clients report time may be off,
but it is 00% in sync. Normally we autosign but I've disabled that for
now and its made no difference. the client cert comes in fine, and I
can sign it just fine, but its the verify on the client end that
fails:
root::wave { 10:07:25 Fri Mar 02 }
~-> puppet agent -t
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for wave.
info: Retrieving plugin
info: Caching certificate_revocation_list for ca
err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources using 'eval_generate: certificate verify failed. This is
often because the time is out of sync on the server or client
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate
verify failed. This is often because the time is out of sync on the
server or client Could not retrieve file metadata for
puppet://provisions/plugins: certificate verify failed. This is often
because the time is out of sync on the server or client
info: Loading facts in vlan
<SNIP>
err: Could not retrieve catalog from remote server: certificate verify
failed. This is often because the time is out of sync on the server
or client
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: certificate verify failed. This is often
because the time is out of sync on the server or client
Any thoughts/help? I'd rather not start over and regenerate a
clean/new master cert, and have to clear client certs on everything
(about 2k systems)...
Help?
--
Matthew Nicholson
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
