Unsurprisingly, all my fault, details below.
On 22/05/12 10:15, Stuart Sears wrote:
Hi all,
I am seeing some very curious behaviour with puppet enterprise (on a
trial license to evaluate, before I get redirected there :) )
I have client systems (RHEL) being kickstarted and installing pe-puppet
and a couple of other basic packages, before using
puppet agent -t --environment bootstrap --server PUPPETSERVER
To ensure the rest of the bootstrapping takes place properly.
Only puppet configuration takes place in the 'bootstrap' environment.
This part works fine - I have autosigning configured on my puppetmaster
for these hosts.
I really do not want to have to muck about NFS mounting/copying the
entire PE installation directory on all the boxes here, should we decide
to deploy it. That's really not scalable at all.
It looks like the preliminary puppet run is receiving a cert and then
using that to connect to the puppet master, which works just fine, but
then once the node has rebooted, a completely new key pair appears to
have been generated on the client system, which no longer matches that
on the master.
for more information (and info to backup my point):
http://fpaste.org/WGuW/
I can't quite figure out when this new cert is being created, unless
this is buried somewhere in the PE initial run, which appears to
configure mcollective among many other things, although thus far I
cannot find where this configuration is assigned to nodes, so I'm not
100% clear which classes are applied.
[ After a helpful comment from Vulcane in IRC. Thanks! ]
My understanding of what went wrong, in case it helps others.
okay, there is another private key in /var/opt/lib/pe-puppet/ssl that
was used for the very first cert request.
After the preliminary configuration run, puppet switches to using
/etc/puppetlabs/puppet/ssl, where there is no private key yet. On the
next run, there being no private key, one is generated. This no longer
matches the certificate received from the master.
Now running the original bootstrap puppet with --ssldir
/etc/puppetlabs/puppet/ssl and all appears well.
--
Stuart Sears RHCA etc.
"It's today!" said Piglet.
"My favourite day," said Pooh.
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
