Hello 2.7 is pretty old. IIRC noop stops the agent writing anything including the certificate stuff. You can either Drop the noop Upgrade puppet on client Do the certificate work manually Specify the certname in the config and use the old cert assuming your cloned master still has that
Neil On 18 Nov 2014 04:26, "Roger Sherman" <slammingroo...@gmail.com> wrote: > I'm in the process of setting up a staging environment for the company I > work for. To do this, we've cloned our production environment (vmware), > changed the hostnames of the nodes, re-IP'd the nodes, and since that > point, I've been trying to get the environment to the point where I can do > puppet runs. This is proving difficult, because of a couple SSL issues that > have arisen. > > We are using Puppet 2.7 on Debian 6 (one of the plans for the staging > environment in the first quarter of next year is going to be testing a lot > of upgrades). Right now, I'm just focusing on two nodes - the puppet master > and a client node, simply trying to get a successful run done on the client > node. For that matter, a successful --noop run. What happens now is the > following: > > # puppet agent -tv --noop > > err: Could not request certificate: SSL_connect returned=1 errno=0 > state=SSLv2/v3 read server hello A: unknown protocol > > Exiting; failed to retrieve certificate and waitforcert is disabled > > I can ping the puppet master successfully, there is no issue with node to > node connectivity. Some googling suggested that time sync could be an > issue, and initially it was, but they're synced up now, to no effect. I've > of course blown out the certs on the client, since there was a hostname > change. > > I actually just tried doing a --noop run on the puppet master itself, just > to see what would happen. I didn't expect it to be successful...due to the > way it's set up (long story short, I inherited this system, and would not > have set it up this way), I've never been able to do a successful puppet > run on it. This time, though, not only wasn't successful, but I'm getting > similar SSL errors: > > ... > > err: /File[/var/lib/puppet/lib]: Failed to generate additional resources > using 'eval_generate: SSL_connect returned=1 errno=0 state=SSLv2/v3 read > server hello A: unknown protocol > > ... > > err: /File[/var/lib/puppet/lib]: Could not evaluate: SSL_connect > returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol > Could not retrieve file metadata for puppet://puppet/plugins: SSL_connect > returned=1 errno=0 state=SSLv2/v3 read server hello A: unknown protocol > > ... > > err: Could not retrieve catalog from remote server: SSL_connect returned=1 > errno=0 state=SSLv2/v3 read server hello A: unknown protocol > > ... > > err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv2/v3 > read server hello A: unknown protocol > > with a bunch of ruby noise in between each error. > > > I have blown out all the certs on the puppet master, and regenerated, as > detailed in step 1: > > > https://docs.puppetlabs.com/puppet/latest/reference/ssl_regenerate_certificates.html > > For a brief, shining moment, I thought that was going to do the job, but > then it didn't generate a couple certs that apache needed to restart, and > when I tried to generate them manually, puppet failed to sign them. > > > Any thoughts on where to begin? I'll be happy to provide any more > information deemed necessary. I'm at the point where I'm just going to > start making changes to nodes in the environment manually...honestly, I'm > hoping I don't have to do that, so very much hoping someone here can help > me through this. > > Thanks very much in advance, > > Rog > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/17d2a513-2d44-4996-9ed1-d4b54d81241f%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/17d2a513-2d44-4996-9ed1-d4b54d81241f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAAohVBfQpE5B%3DK5TuRtqRnWR2YNni%2BWXiroFMQYkUE9jf68FdQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
