I was cleaning the clients yes. After I cleaned the puppet server and the client AND still had issues. I decided to blow away everything in /var/lib/puppet/ssl on the master and rebuild it. Fortunately I only have a few dozen puppetized machines because... I have to go through and re-cert them all again. But for now it seems to be working.
Freaking massive headache. On Wed, Feb 22, 2012 at 12:11, Gary Larizza <g...@puppetlabs.com> wrote: > > > On Wed, Feb 22, 2012 at 11:58 AM, Jon Davis <j...@snowulf.com> wrote: > >> How can I track down where the issue for this is? I've found some bugs >> and blog posts that seem to be related [1][2] and I've followed all of the >> instructions and checked ALL of the versions related. I'm running Ruby >> 1.8.7 and Puppet 2.7.9 on both sides of the equation, which appear to be >> "OK" versions by everyone's posting. I've got as far as doing a `puppet >> cert clean --all` and `puppet cert clean puppet.company.com` and >> regenerating. Still doesn't work. I've also followed every step on only >> Puppet Doc's page that I can find related entries on [3] > > > Hey Jon, > > When you cleaned the certs on the SERVER side, did you also clean the > $ssldir on the CLIENT side and try to connect to the master again? Doing a > `puppet config print ssldir` will give you the path to your $ssldir. I > would: > > 1. Clean the cert on the master > 2. Clean the ssldir on the client > 3. Try running `puppet agent -t` on the client to generate a CSR on the > master > 4. Sign the cert on the master > 5. Try running puppet again on the client. > > Does this work for you? > > >> >> -Jon >> [1] http://projects.puppetlabs.com/issues/9084 >> [2] http://urgetopunt.com/puppet/2011/09/14/puppet-ruby19.html >> [3] >> http://docs.puppetlabs.com/pe/2.0/maint_common_config_errors.html#do-agents-trust-the-masters-certificate >> >> >> >> On Tue, Feb 21, 2012 at 16:56, Jon Davis <j...@snowulf.com> wrote: >> >>> I recently built, added to puppet and then nuked a server. Before I >>> re-added the machine (after I rebuilt it, with the same name), I went to >>> the puppet server and ran `puppet cert revoke dev-8.company.com` and >>> `puppet cert clean dev-8.company.com`. Now when puppet runs on ANY >>> server in my environment, they get the following error: >>> >>> info: Caching certificate for dev-8.company.com >>> *err: Could not retrieve catalog from remote server: SSL_connect >>> returned=1 errno=0 state=SSLv3 read server certificate B: certificate >>> verify failed. This is often because the time is out of sync on the server >>> or client* >>> warning: Not using cache on failed catalog >>> err: Could not retrieve catalog; skipping run >>> *err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 >>> read server certificate B: certificate verify failed. This is often >>> because the time is out of sync on the server or client* >>> >>> >>> Now I know for a fact that it isn't a time issue because the puppet >>> server is on NTP as are the clients. The new machine is also within 1-2 >>> seconds of server time. All of the clients are configured to run (via >>> Cron) `/usr/sbin/puppetd --onetime --no-daemonize --logdest syslog --server >>> puppet.company.com`. The server is named puppet-1.company.com but >>> puppet. is a valid cname. I've tried rebooting the puppet server, I've >>> tried upgrading it, just about anything I can think of. >>> >>> Any help would be greatly appreciated. >>> -Jon >>> >>> PS Both clients and server are running Ubuntu: >>> >>> root@puppet-1:/etc/puppet# cat /etc/lsb-release >>> DISTRIB_ID=Ubuntu >>> DISTRIB_RELEASE=11.10 >>> DISTRIB_CODENAME=oneiric >>> DISTRIB_DESCRIPTION="Ubuntu 11.10" >>> >>> root@puppet-1:/etc/puppet# uname -a >>> Linux puppet-1 3.0.0-16-server #28-Ubuntu SMP Fri Jan 27 18:03:45 UTC >>> 2012 x86_64 x86_64 x86_64 GNU/Linux >>> >>> >>> >>> -- >>> Jon >>> [[User:ShakataGaNai]] / KJ6FNQ >>> http://snowulf.com/ >>> http://www.linkedin.com/in/shakataganai<http://twitter.com/shakataganai> >>> >>> >> >> >> -- >> Jon >> [[User:ShakataGaNai]] / KJ6FNQ >> http://snowulf.com/ >> http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscr...@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > > > -- > > Gary Larizza > Professional Services Engineer > Puppet Labs > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- Jon [[User:ShakataGaNai]] / KJ6FNQ http://snowulf.com/ http://www.linkedin.com/in/shakataganai <http://twitter.com/shakataganai> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
