On Sep 8, 2009, at 11:30 AM, Ian Cottee wrote:
> I've been running puppet for nearly two years. As the number of
> clients have expanded so performance has eroded. I've done stop gaps
> solutions such as creating two puppet masters and feeding a
> fileserver off one of them and reducing the frequency that clients
> check in, but I knew they were stop gap solutions and not cutting
> the mustard.
>
> Last week I bit the bullet and created a new puppetmaster on Ubunty
> Hardy, installing from the 0.24.9 source. The bones of the config
> come from http://reductivelabs.com/trac/puppet/wiki/UsingMongrel
>
> And all as well last week and I had apache serving up 10
> puppetmasters. I'd copied the ssl details from the previous server
> and existing clients were checking in, doing their puppety stuff and
> being happy.
>
> Today we needed to create a new node but no dice. On my client, when
> first starting puppetd I get:
>
> r...@sn1204:~# puppetd --test
> warning: peer certificate won't be verified in this SSL session
> err: Could not call puppetca.getcert: #<RuntimeError: HTTP-Error:
> 502 Proxy Error>
> /usr/lib/ruby/1.8/puppet/network/client/ca.rb:31:in `request_cert':
> Certificate retrieval failed: HTTP-Error: 502 Proxy Error
> (Puppet::Error)
> from /usr/sbin/puppetd:356
>
> On the server I see this in syslog.
>
> Sep 8 19:22:52 puppet puppetmasterd[1965]: Client
> sn1204.bb2(xx.xx.xx.xx) requested unavailable functionality puppetca
>
> Which tied in with what I was seeing when I switched from mongrel to
> webrick as a test to debug this. http://www.pastie.org/609530
>
> I have since upgraded the server to 0.25.0 but the messages are the
> same. All the clients are 0.24.4 (stock hardy) with a few gutsies.
> They're all connecting fine.
>
> My puppet.conf from the server is at http://www.pastie.org/609537
> and the apache conf at http://www.pastie.org/609541
>
> #puppet on irc have been very helpful but have drawn a blank so far.
> Having peered at the code I assume the puppetca code is loaded as a
> module by the puppetmaster process and that is 'failing' somehow/
> somewhere? Or not being loaded?
>
> Any pointers on how to debug further gratefully received.
Do you have 'ca = false' somewhere in your configuration? That's the
only thing I can think of that would cause the CA functionality not to
be available.
--
Fallacies do not cease to be fallacies because they become fashions.
--G. K. Chesterton
---------------------------------------------------------------------
Luke Kanies | http://reductivelabs.com | http://madstop.com
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en
-~----------~----~----~----~------~----~------~--~---
