> I actually tried --waitforcert 480000 ! But it still hang and end up into a > certificate timeout : puppetd[2078]: Could not request certificate: > Connection refused - connect(2)
"Connection refused" sounds like networking or a firewall is in your way. On your new Puppet client, can you "telnet puppetmaster.domain 8140"? Assuming your Puppet Master is running on the default port of 8140. What's the output of "puppetd --test" ? > > I think it's complaining about waitforcert because you need that flag to > > retrieve the cert from the server. > > > But it would have been nice to see the actual command you used to produce > > that error. :) > > puppet is running as "regular" red hat service, so there is no "command" > (well there is but I just let the service runs). I have nothing fancy in my > [puppetd] configuration: > > [puppetd] > # The file in which puppetd stores a list of the classes > # associated with the retrieved configuratiion. Can be loaded in > # the separate ``puppet`` executable using the ``--loadclasses`` > # option. > # The default value is '$confdir/classes.txt'. > classfile = $vardir/classes.txt > > # Where puppetd caches the local configuration. An > # extension indicating the cache format is added automatically. > # The default value is '$confdir/localconfig'. > localconfig = $vardir/localconfig > > server = puppetmaster.domain > > The number is the interval that the puppet client will pause between > > > requests to the server for it's cert and is a required parameter. > > Ah, ok , so maybe having a big number here ( --waitforcert 480000) is a bad > idea.... > > > At that point, back on the server you should see what facter considers to > > be the fqdn of the requesting machine when you issue > > > puppetca --list > > > Then sign > > > puppetca --sign <http://host.domain.com>host.domain.com > > > I'd recommend turning off autosign on the puppet master as it's a security > > risk. > > For now I need autosign, because I'm creating instance "on the fly" - so I > don't want to "manually" accept each one. (but I'm aware of the security > risk of this setup). > > > > > > > Hope that is helpful. > > > Sent from my iPhone > > > On Mar 11, 2011, at 8:04 AM, Romain Pelisse <bela...@gmail.com> wrote: > > > Hi, > > > I'm using puppet on EC2 to setup my VMs with the following configuration: > > > # puppetd --version > > 0.25.5 > > # uname -a > > Linux hostname.domain 2.6.16-xenU #1 SMP Mon May 28 03:41:49 SAST 2007 i686 > > i686 i386 GNU/Linux > > > But I keep facing some timeout from puppetd: > > > warning: peer certificate won't be verified in this SSL session > > Exiting; failed to retrieve certificate and waitforcert is disabled > > > Puppetmaster is running on autosign, and I can see in the puppetmaster logs > > that the puppets are actually able to connect and request a certificate: > > > info: Could not find certificate for 'hostname.domain' > > > But, nothing else seems to happens on puppetmaster side and the puppetd > > finally timeout. > > > Did anybody runned into this situation ? Any idea on what could be > > triggering this ? > > > -- > > Romain PELISSE, > > *"The trouble with having an open mind, of course, is that people will > > insist on coming along and trying to put things in it" -- Terry Pratchett* > > <http://belaran.eu/wordpress/belaran>http://belaran.eu/wordpress/belaran > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > >http://groups.google.com/group/puppet-users?hl=en. > > -- > Romain PELISSE, > *"The trouble with having an open mind, of course, is that people will > insist on coming along and trying to put things in it" -- Terry > Pratchett*http://belaran.eu/wordpress/belaran -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
