But I'm game, short of regenerating the new master's certificate & trying the clients again anything to look at to test that theory?
Time is frequently a good place to look in crypto errors, but we rely on Kerberos for just about everything which is also very time sensitive so we're pretty scrupulous about time to the point of running our own stratum 1 CDMA time server. Now that's not to say things never go wrong there, but when they do it's usually pretty obvious. I hadn't had my monitoring setup on the new master when I generated the cert so I can't be 100% sure I can see that the CA's worst offset in the past week was 1.68ms, while testing yesterday afternoon the new master never got more than 1ms out. The real kicker is that the FreeBSD clients could connect when calling the server by it's primary DNS name but not by the shared service name, seems if time were at issue that would not work either. One thing that does jump out is the FreeBSD clients are using Ruby1.9 while the Linux Clients and servers are on 1.8 Also the new master is using openssl 1.0.1 the older masters are using 0.9.8o and the FreeBSD Clients 0.9.8.y, though Linux clients use 0.9.8o and 1.0.1 so don't *think* that's it. Thanks, -Jon On Tue, May 7, 2013 at 5:45 PM, Nathan Valentine <nat...@puppetlabs.com>wrote: > This smells like a problem related to incorrect system clock when the cert > was generated for the new master.?. > > -- > --- > Nathan Valentine - nat...@puppetlabs.com > Puppet Labs Professional Services > GV: 415.504.2173 > Skype: nrvale0 > > Join us at PuppetConf 2013, August 22-23 in San Francisco - > http://bit.ly/pupconf13 > Register now and take advantage of the Early Bird discount - save 25%! > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
