Hi thx for the reply here are the info: -- nslookup puppetdb.fqdn Server: 10.10.200.29 Address: 10.10.200.29#53
puppetdb.fqdn canonical name = puppetmaster.fqdn Name: puppetmaster.fqdn Address: 10.10.200.17 -- keytool -list -keystore /etc/puppetdb/ssl/keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetmaster.fqdn, Jun 12, 2012, PrivateKeyEntry, Certificate fingerprint (MD5): 02:B5:21:B9:F7:72:4A:48:67:12:47:FF:0A:DE:B5:1D -- keytool -list -keystore /etc/puppetdb/ssl/truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, Jun 12, 2012, trustedCertEntry, Certificate fingerprint (MD5): 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 -- puppet cert --fingerprint ca puppetmaster.fqdn ca 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 So it seems that the certificates are not right? -- On the master: ntpq -p remote refid st t when poll reach delay offset jitter ============================================================================== +ntp1 198.82.1.204 3 u 986 1024 377 0.106 -1.399 0.323 *ntp2 129.70.132.32 3 u 54 1024 377 0.376 0.338 0.903 LOCAL(0) .LOCL. 12 l 14h 64 0 0.000 0.000 0.000 As you see the server is up to date. Does that help? Regards, JM On Tue, Jun 12, 2012 at 10:46 PM, Nick Lewis <[email protected]> wrote: > On Tuesday, June 12, 2012 7:39:22 AM UTC-7, A_SAAS wrote: >> >> Hi everyone, >> >> I am trying to setup the new puppetdb on my environment (currently it >> worked great with mysql databases). All the setup was made by package for >> debian squeeze and puppet is used with passenger. >> >> >> Here are the configuration files: >> -- >> cat /etc/puppetdb/conf.d/jetty.ini >> [jetty] >> # Hostname to list for clear-text HTTP. Default is localhost >> #host = localhost >> # Port to listen on for clear-text HTTP. >> host = puppetdb.fqdn >> port = 8080 >> ssl-host = puppetdb.fqdn >> ssl-port = 8081 >> keystore = /etc/puppetdb/ssl/keystore.jks >> truststore = /etc/puppetdb/ssl/truststore.jks >> key-password = uTyCY6damAQn9KInqCLuvAO53 >> trust-password = uTyCY6damAQn9KInqCLuvAO53 >> -- >> cat /etc/puppet/puppetdb.conf >> [main] >> server = pupperdb.fqdn >> port = 8081 >> -- >> netstat -tulanp |egrep '808|543' >> tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 16224/postgres >> tcp 0 0 127.0.0.1:5432 127.0.0.1:9232 ESTABLISHED 27554/postgres: pup >> tcp 0 0 127.0.0.1:5432 127.0.0.1:9230 ESTABLISHED 27552/postgres: pup >> tcp 0 0 127.0.0.1:5432 127.0.0.1:9229 ESTABLISHED 27551/postgres: pup >> tcp 0 0 127.0.0.1:5432 127.0.0.1:9231 ESTABLISHED 27553/postgres: pup >> tcp6 0 0 10.10.200.17:8080 :::* LISTEN 27496/java >> tcp6 0 0 10.10.200.17:8081 :::* LISTEN 27496/java >> tcp6 0 0 127.0.0.1:9232 127.0.0.1:5432 ESTABLISHED 27496/java >> tcp6 0 0 127.0.0.1:9195 127.0.0.1:5432 TIME_WAIT - >> tcp6 0 0 127.0.0.1:9230 127.0.0.1:5432 ESTABLISHED 27496/java >> tcp6 0 0 127.0.0.1:9193 127.0.0.1:5432 TIME_WAIT - >> tcp6 0 0 127.0.0.1:9194 127.0.0.1:5432 TIME_WAIT - >> tcp6 0 0 127.0.0.1:9229 127.0.0.1:5432 ESTABLISHED 27496/java >> tcp6 0 0 127.0.0.1:9231 127.0.0.1:5432 ESTABLISHED 27496/java >> tcp6 0 0 127.0.0.1:9192 127.0.0.1:5432 TIME_WAIT - >> -- >> Once everything is started: >> 2012-06-12 16:33:13,841 DEBUG [main] [bonecp.BoneCPDataSource] JDBC URL = >> jdbc:postgresql://localhost:5432/puppetdb, Username = puppetdb, partitions >> = 5, max (per partition) = 10, min (p >> er partition) = 1, helper threads = 3, idle max age = 60 min, idle test >> period = 240 min >> 2012-06-12 16:33:13,979 INFO [main] [cli.services] Starting broker >> 2012-06-12 16:33:14,729 DEBUG [main] [page.PageFile] Page File: >> /usr/share/puppetdb/mq/localhost/KahaDB/db.data, Recovering page file... >> 2012-06-12 16:33:14,790 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,795 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:14,977 INFO [main] [journal.Journal] ignoring zero >> length, partially initialised journal data file: db-1.log number = 1 , >> length = 0 >> 2012-06-12 16:33:14,987 DEBUG [main] [page.PageFile] Page File: >> /usr/share/puppetdb/mq/localhost/scheduler/scheduleDB.data, Recovering page >> file... >> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:15,034 DEBUG [main] [index.BTreeIndex] loading >> 2012-06-12 16:33:15,109 INFO [main] [cli.services] Starting 2 command >> processor threads >> 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting query server >> 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting database >> compactor (60 minute interval) >> 2012-06-12 16:33:15,124 INFO [clojure-agent-send-off-pool-2] >> [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) >> via org.mortbay.log.Slf4jLog >> 2012-06-12 16:33:15,126 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] Container Server@4f47afda + >> [email protected]:8080 as connector >> 2012-06-12 16:33:15,131 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] Container Server@4f47afda + >> [email protected]:8081 as connector >> 2012-06-12 16:33:15,131 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] Container Server@4f47afda + AbstractHandler$0@4da4826b as >> handler >> 2012-06-12 16:33:15,132 INFO [clojure-agent-send-off-pool-2] >> [mortbay.log] jetty-6.1.x >> 2012-06-12 16:33:15,145 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] Container Server@4f47afda + >> org.mortbay.thread.QueuedThreadPool@76bd92e4 as threadpool >> 2012-06-12 16:33:15,148 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] started org.mortbay.thread.QueuedThreadPool@76bd92e4 >> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] starting AbstractHandler$0@4da4826b >> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] started AbstractHandler$0@4da4826b >> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] starting Server@4f47afda >> 2012-06-12 16:33:15,153 INFO [clojure-agent-send-off-pool-2] >> [mortbay.log] Started [email protected] >> :8080 >> 2012-06-12 16:33:15,153 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] started [email protected] >> :8080 >> 2012-06-12 16:33:15,164 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] Checking Resource aliases >> 2012-06-12 16:33:15,219 DEBUG [clojure-agent-send-off-pool-0] >> [listener.DefaultMessageListenerContainer] Established shared JMS Connection >> 2012-06-12 16:33:15,219 DEBUG [clojure-agent-send-off-pool-1] >> [listener.DefaultMessageListenerContainer] Established shared JMS Connection >> 2012-06-12 16:33:15,256 INFO [clojure-agent-send-off-pool-2] >> [mortbay.log] Started [email protected] >> :8081 >> 2012-06-12 16:33:15,262 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] started [email protected] >> :8081 >> 2012-06-12 16:33:15,262 DEBUG [clojure-agent-send-off-pool-2] >> [mortbay.log] started Server@4f47afda >> >> >> and once I am trying to run any agent I am having the following error >> with the SSL port: >> date && puppet agent -t --noop ; date >> Tue Jun 12 16:31:16 CEST 2012 >> info: Retrieving plugin >> info: Loading facts in meminbytes >> info: Loading facts in facter_dot_d >> info: Loading facts in root_home >> info: Loading facts in puppet_vardir >> info: Loading facts in meminbytes >> info: Loading facts in facter_dot_d >> info: Loading facts in root_home >> info: Loading facts in puppet_vardir >> err: Could not retrieve catalog from remote server: Error 400 on SERVER: >> Failed to submit 'replace facts' command for >> lnk4c-cks01.vitry.exploit.anticorp to PuppetDB at >> puppetdb.vitry.exploit.anticorp:8081: SSL_connect returned=1 errno=0 >> state=SSLv3 read server certificate B: certificate verify failed. This is >> often because the time is out of sync on the server or client >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run Tue Jun 12 16:31:23 CEST >> 2012 >> --- >> 2012-06-12 16:31:23,054 WARN [1130816144@qtp-844964870-6] [mortbay.log] >> EXCEPTION >> javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763) >> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006) >> at >> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217) >> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201) >> at >> org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:675) >> at >> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) >> >> >> If I change the port: >> cat puppetdb.conf >> [main] >> server = puppetdb.vitry.exploit.anticorp >> port = 8080 >> -- >> date && puppet agent -t --noop ; date Tue Jun 12 16:36:58 CEST 2012 >> info: Retrieving plugin >> info: Loading facts in meminbytes >> info: Loading facts in facter_dot_d >> info: Loading facts in root_home >> info: Loading facts in puppet_vardir >> info: Loading facts in meminbytes >> info: Loading facts in facter_dot_d >> info: Loading facts in root_home >> info: Loading facts in puppet_vardir >> err: Could not retrieve catalog from remote server: Error 400 on SERVER: >> Failed to submit 'replace facts' command for >> lnk4c-cks01.vitry.exploit.anticorp to PuppetDB at >> puppetdb.vitry.exploit.anticorp:8080: SSL_connect returned=1 errno=0 >> state=SSLv2/v3 read server hello A: unknown protocol >> warning: Not using cache on failed catalog >> err: Could not retrieve catalog; skipping run >> Tue Jun 12 16:37:01 CEST 2012 >> -- >> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >> [mortbay.log] uri= >> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >> [mortbay.log] fields= >> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >> [mortbay.log] EXCEPTION >> HttpException(400,null,null) >> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:361) >> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212) at >> org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) >> at >> org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228) >> at >> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) >> 2012-06-12 16:36:57,844 DEBUG [1255344208@qtp-1992135396-2] >> [mortbay.log] BAD >> >> >> Any idea, what could cause this error? >> >> > Did you run a puppet agent on the PuppetDB server before installing the > PuppetDB package? In order to setup SSL correctly, this is currently > necessary. > > If you didn't, you can run a puppet agent to generate certificates and > then run `/usr/sbin/puppetdb-ssl-setup` to redo the SSL setup. This will > put your password in /etc/puppetdb/ssl/puppetdb_keystore_pw.txt, and you > can update your jetty.ini with that. > > Otherwise, please run these commands for some diagnostic output: > > keytool -list -keystore /etc/puppetdb/ssl/keystore.jks > keytool -list -keystore /etc/puppetdb/ssl/truststore.jks > > puppet cert --fingerprint ca <puppetdb hostname> > > This will give some output to ensure that the certificates being used by > PuppetDB are what we expect them to be. > > As an aside, none of this output contains the timestamp of the puppet > master (only the agent and PuppetDB). Can you also please ensure that's > also correct? > > >> >> Regards, >> JM >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To view this discussion on the web visit > https://groups.google.com/d/msg/puppet-users/-/goDGIrarBNwJ. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
