Hi, in my current orkplace, I am currently hunting a weird heisenbug. In about two out of ten machine builds, the puppet certificate doesn't get signed.
We create the host via the foreman API, the host goes into build mode in foreman. Foreman writes the FQDN to /etc/puppet/autosign.conf, the host installation begins. After the installation, the first puppet run starts. If things go fine, the host creates its certificate request, submits it to the puppet server (running on the same host as our foreman), the puppet CA signs ther request, the FQDN is deleted from autosign.conf and we're happy. In the other case, the host creates its certificate request, submits it to the puppet server, and the puppet CA fails to autosign the cert. The host stays put, waiting for the signed certificate, the build in foreman eventually times out. One can manually issue puppet cert sign FQDN, and the build continues automatically if the manual signing happened before the build has timed out in foreman. This behavior is not tied to the host or the host definition, exactly the same build submitted via the foreman API can succeed once and fail the next time around and succeed in the third build again. While my gut feeling says that this might be an issue with puppet instead of foreman. Why am I asking this here? Frankly, I don't know. Can anybody explain how puppet CA monitors the certificate signing requests? Is that a cronjob or a daemon? Any ideas what might be going wrong here, and where to touch? Greetings Marc -- ----------------------------------------------------------------------------- Marc Haber | "I don't trust Computers. They | Mailadresse im Header Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402 Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421 -- You received this message because you are subscribed to the Google Groups "Foreman users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at https://groups.google.com/group/foreman-users. For more options, visit https://groups.google.com/d/optout.
