Yeah.. this is a pretty funky situation.. So recap, I covered all the basics of Puppet/SSL connectivity:
1) times are synced via NTP 2) All SSL values are default 3) SElinux and iptables are off 4) client/server are on the same network 5) all hostnames resolve to fqdn from both dns/files All I did was upgrade and then rollback from 2.6, but I'm guessing that something got changed at the SSL level (I hope I'm just overlooking something) and I can't tell what it is. At this point, I feel like I'd need to rebuild the whole server from scratch, but I was hoping someone had a silver bullet for me to use... On Jul 26, 12:40 pm, "David Dyer-Bennet" <[email protected]> wrote: > On Mon, July 26, 2010 09:00, CraftyTech wrote: > > Hello All, > > > So it turns out that after the upgrade and subsequent rollback > > from 2.6, I can't get clients to connect to puppetserver anymore. > > Something got broken with the ssl and I'm having a tough time > > identifying the problem. So far, I've tried puppetca --clean all (and > > hostname specific), I even deleted the /etc/puppet/ssl on both client > > and server, and still verified failed. These are the steps that I > > follow, in order to test: > > On server: puppetca --clean hostname > > On client: puppetd -t --waitforcert 20 > > On server: puppetca -l (it shows the client's FQDN) > > On server: puppetca -s "client's FQDN" > > On client: certificate verified failed !! > > I'm getting the same or a very similar problem, with a Centos 5.5 clean > install from RPMs (puppet 0.25.5). > > > err: Could not retrieve catalog from remote server: certificate verify > > failed > > warning: Not using cache on failed catalog > > err: Could not retrieve catalog; skipping run > > In particular, I'm always ending up with this situation. > > See my posts late last week for my descriptions, but it sounds like > probably the same thing somewhow. I've also manually deleted the ssl > directory, and even the entire /etc/puppet and /var/lib/puppet > directories, and removed and reinstalled the software packages. > > Sort-of glad it's not just me (though sorry you're caught in this mess). > -- > David Dyer-Bennet, [email protected];http://dd-b.net/ > Snapshots:http://dd-b.net/dd-b/SnapshotAlbum/data/ > Photos:http://dd-b.net/photography/gallery/ > Dragaera:http://dragaera.info -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
