HI everyone, Finally got it, once the certificats were recreated forgot to restart puppetdb... Sorry.
Thx for the tips :D On Wed, Jun 13, 2012 at 12:31 PM, Antidot SAS <[email protected]> wrote: > OK, > > I have manged to have the same signature (Apparently using --config > doesn't help for generating certificats :D) > So now is the deal: > # keytool -list -keystore /etc/puppetdb/ssl/keystore.jks > > Enter keystore password: > Keystore type: JKS > Keystore provider: SUN > Your keystore contains 1 entry > puppetmaster.fqdn, Jun 13, 2012, PrivateKeyEntry, > Certificate fingerprint (MD5): > FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 > -- > # puppet cert fingerprint puppetmaster.fqdn --digest=md5 > --config=/etc/puppet/conf/puppet.conf > puppetmaster.fqdn FE:EA:B4:FE:C4:2C:07:9B:15:B7:F2:DB:3A:78:B3:47 > -- > > But still not the same for truststore.jks: > # keytool -list -keystore /etc/puppetdb/ssl/truststore.jks > > Enter keystore password: > Keystore type: JKS > Keystore provider: SUN > Your keystore contains 1 entry > puppetdb ca, Jun 13, 2012, trustedCertEntry, > Certificate fingerprint (MD5): > DA:38:CE:13:8A:20:8B:C1:4C:1C:2C:99:27:5F:53:05 > -- > > And stil having the issue with the agent: > # date && puppet agent -t --noop ; date > Wed Jun 13 12:18:51 CEST 2012 > > info: Retrieving plugin > info: Loading facts in meminbytes > info: Loading facts in facter_dot_d > info: Loading facts in root_home > info: Loading facts in puppet_vardir > info: Loading facts in meminbytes > info: Loading facts in facter_dot_d > info: Loading facts in root_home > info: Loading facts in puppet_vardir > err: Could not retrieve catalog from remote server: Error 400 on SERVER: > Failed to submit 'replace facts' command for test-puppet.fqdn to PuppetDB > at puppetmaster.fqdn:8081: SSL_connect returned=1 errno=0 state=SSLv3 read > server certificate B: certificate verify failed. This is often because the > time is out of sync on the server or client > > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > Wed Jun 13 12:18:54 CEST 2012 > > On the master: > 2012-06-13 12:28:51,828 WARN [789688662@qtp-1034385146-6] [mortbay.log] > EXCEPTION > > javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error > at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) > at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) > at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763) > at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006) > at > sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217) > at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201) > at > org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:675) > at > org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) > > > As you can see in the log the date seems pretty the same. > > > > > On Wed, Jun 13, 2012 at 10:20 AM, Antidot SAS <[email protected]>wrote: > >> Hi thx for the reply here are the info: >> -- >> nslookup puppetdb.fqdn >> Server: 10.10.200.29 >> Address: 10.10.200.29#53 >> >> puppetdb.fqdn canonical name = puppetmaster.fqdn >> Name: puppetmaster.fqdn >> Address: 10.10.200.17 >> -- >> keytool -list -keystore /etc/puppetdb/ssl/keystore.jks >> Enter keystore password: >> >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 1 entry >> >> puppetmaster.fqdn, Jun 12, 2012, PrivateKeyEntry, >> Certificate fingerprint (MD5): >> 02:B5:21:B9:F7:72:4A:48:67:12:47:FF:0A:DE:B5:1D >> -- >> keytool -list -keystore /etc/puppetdb/ssl/truststore.jks >> Enter keystore password: >> >> Keystore type: JKS >> Keystore provider: SUN >> >> Your keystore contains 1 entry >> >> puppetdb ca, Jun 12, 2012, trustedCertEntry, >> Certificate fingerprint (MD5): >> 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 >> -- >> puppet cert --fingerprint ca puppetmaster.fqdn >> ca 1F:1B:E7:2A:89:B5:87:65:4F:91:1A:8B:75:8F:AD:60 >> >> So it seems that the certificates are not right? >> -- >> On the master: >> ntpq -p >> remote refid st t when poll reach delay offset jitter >> >> ============================================================================== >> +ntp1 198.82.1.204 3 u 986 1024 377 0.106 -1.399 0.323 >> *ntp2 129.70.132.32 3 u 54 1024 377 0.376 0.338 0.903 >> LOCAL(0) .LOCL. 12 l 14h 64 0 0.000 0.000 0.000 >> >> >> As you see the server is up to date. >> >> Does that help? >> >> Regards, >> JM >> >> >> >> On Tue, Jun 12, 2012 at 10:46 PM, Nick Lewis <[email protected]> wrote: >> >>> On Tuesday, June 12, 2012 7:39:22 AM UTC-7, A_SAAS wrote: >>>> >>>> Hi everyone, >>>> >>>> I am trying to setup the new puppetdb on my environment (currently it >>>> worked great with mysql databases). All the setup was made by package for >>>> debian squeeze and puppet is used with passenger. >>>> >>>> >>>> Here are the configuration files: >>>> -- >>>> cat /etc/puppetdb/conf.d/jetty.ini >>>> [jetty] >>>> # Hostname to list for clear-text HTTP. Default is localhost >>>> #host = localhost >>>> # Port to listen on for clear-text HTTP. >>>> host = puppetdb.fqdn >>>> port = 8080 >>>> ssl-host = puppetdb.fqdn >>>> ssl-port = 8081 >>>> keystore = /etc/puppetdb/ssl/keystore.jks >>>> truststore = /etc/puppetdb/ssl/truststore.jks >>>> key-password = uTyCY6damAQn9KInqCLuvAO53 >>>> trust-password = uTyCY6damAQn9KInqCLuvAO53 >>>> -- >>>> cat /etc/puppet/puppetdb.conf >>>> [main] >>>> server = pupperdb.fqdn >>>> port = 8081 >>>> -- >>>> netstat -tulanp |egrep '808|543' >>>> tcp 0 0 127.0.0.1:5432 0.0.0.0:* LISTEN 16224/postgres >>>> tcp 0 0 127.0.0.1:5432 127.0.0.1:9232 ESTABLISHED 27554/postgres: pup >>>> tcp 0 0 127.0.0.1:5432 127.0.0.1:9230 ESTABLISHED 27552/postgres: pup >>>> tcp 0 0 127.0.0.1:5432 127.0.0.1:9229 ESTABLISHED 27551/postgres: pup >>>> tcp 0 0 127.0.0.1:5432 127.0.0.1:9231 ESTABLISHED 27553/postgres: pup >>>> tcp6 0 0 10.10.200.17:8080 :::* LISTEN 27496/java >>>> tcp6 0 0 10.10.200.17:8081 :::* LISTEN 27496/java >>>> tcp6 0 0 127.0.0.1:9232 127.0.0.1:5432 ESTABLISHED 27496/java >>>> tcp6 0 0 127.0.0.1:9195 127.0.0.1:5432 TIME_WAIT - >>>> tcp6 0 0 127.0.0.1:9230 127.0.0.1:5432 ESTABLISHED 27496/java >>>> tcp6 0 0 127.0.0.1:9193 127.0.0.1:5432 TIME_WAIT - >>>> tcp6 0 0 127.0.0.1:9194 127.0.0.1:5432 TIME_WAIT - >>>> tcp6 0 0 127.0.0.1:9229 127.0.0.1:5432 ESTABLISHED 27496/java >>>> tcp6 0 0 127.0.0.1:9231 127.0.0.1:5432 ESTABLISHED 27496/java >>>> tcp6 0 0 127.0.0.1:9192 127.0.0.1:5432 TIME_WAIT - >>>> -- >>>> Once everything is started: >>>> 2012-06-12 16:33:13,841 DEBUG [main] [bonecp.BoneCPDataSource] JDBC URL >>>> = jdbc:postgresql://localhost:5432/puppetdb, Username = puppetdb, >>>> partitions = 5, max (per partition) = 10, min (p >>>> er partition) = 1, helper threads = 3, idle max age = 60 min, idle test >>>> period = 240 min >>>> 2012-06-12 16:33:13,979 INFO [main] [cli.services] Starting broker >>>> 2012-06-12 16:33:14,729 DEBUG [main] [page.PageFile] Page File: >>>> /usr/share/puppetdb/mq/localhost/KahaDB/db.data, Recovering page file... >>>> 2012-06-12 16:33:14,790 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,795 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,796 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:14,977 INFO [main] [journal.Journal] ignoring zero >>>> length, partially initialised journal data file: db-1.log number = 1 , >>>> length = 0 >>>> 2012-06-12 16:33:14,987 DEBUG [main] [page.PageFile] Page File: >>>> /usr/share/puppetdb/mq/localhost/scheduler/scheduleDB.data, Recovering page >>>> file... >>>> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:15,031 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:15,034 DEBUG [main] [index.BTreeIndex] loading >>>> 2012-06-12 16:33:15,109 INFO [main] [cli.services] Starting 2 command >>>> processor threads >>>> 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting query server >>>> 2012-06-12 16:33:15,111 INFO [main] [cli.services] Starting database >>>> compactor (60 minute interval) >>>> 2012-06-12 16:33:15,124 INFO [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Logging to org.slf4j.impl.Log4jLoggerAdapter(org.mortbay.log) >>>> via org.mortbay.log.Slf4jLog >>>> 2012-06-12 16:33:15,126 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Container Server@4f47afda + >>>> [email protected]:8080 as connector >>>> 2012-06-12 16:33:15,131 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Container Server@4f47afda + >>>> [email protected]:8081 as connector >>>> 2012-06-12 16:33:15,131 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Container Server@4f47afda + AbstractHandler$0@4da4826bas >>>> handler >>>> 2012-06-12 16:33:15,132 INFO [clojure-agent-send-off-pool-2] >>>> [mortbay.log] jetty-6.1.x >>>> 2012-06-12 16:33:15,145 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Container Server@4f47afda + >>>> org.mortbay.thread.QueuedThreadPool@76bd92e4 as threadpool >>>> 2012-06-12 16:33:15,148 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] started org.mortbay.thread.QueuedThreadPool@76bd92e4 >>>> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] starting AbstractHandler$0@4da4826b >>>> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] started AbstractHandler$0@4da4826b >>>> 2012-06-12 16:33:15,151 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] starting Server@4f47afda >>>> 2012-06-12 16:33:15,153 INFO [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Started [email protected] >>>> :8080 >>>> 2012-06-12 16:33:15,153 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] started [email protected] >>>> :8080 >>>> 2012-06-12 16:33:15,164 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Checking Resource aliases >>>> 2012-06-12 16:33:15,219 DEBUG [clojure-agent-send-off-pool-0] >>>> [listener.DefaultMessageListenerContainer] Established shared JMS >>>> Connection >>>> 2012-06-12 16:33:15,219 DEBUG [clojure-agent-send-off-pool-1] >>>> [listener.DefaultMessageListenerContainer] Established shared JMS >>>> Connection >>>> 2012-06-12 16:33:15,256 INFO [clojure-agent-send-off-pool-2] >>>> [mortbay.log] Started [email protected] >>>> :8081 >>>> 2012-06-12 16:33:15,262 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] started [email protected] >>>> :8081 >>>> 2012-06-12 16:33:15,262 DEBUG [clojure-agent-send-off-pool-2] >>>> [mortbay.log] started Server@4f47afda >>>> >>>> >>>> and once I am trying to run any agent I am having the following error >>>> with the SSL port: >>>> date && puppet agent -t --noop ; date >>>> Tue Jun 12 16:31:16 CEST 2012 >>>> info: Retrieving plugin >>>> info: Loading facts in meminbytes >>>> info: Loading facts in facter_dot_d >>>> info: Loading facts in root_home >>>> info: Loading facts in puppet_vardir >>>> info: Loading facts in meminbytes >>>> info: Loading facts in facter_dot_d >>>> info: Loading facts in root_home >>>> info: Loading facts in puppet_vardir >>>> err: Could not retrieve catalog from remote server: Error 400 on >>>> SERVER: Failed to submit 'replace facts' command for >>>> lnk4c-cks01.vitry.exploit.anticorp to PuppetDB at >>>> puppetdb.vitry.exploit.anticorp:8081: SSL_connect returned=1 errno=0 >>>> state=SSLv3 read server certificate B: certificate verify failed. This is >>>> often because the time is out of sync on the server or client >>>> warning: Not using cache on failed catalog >>>> err: Could not retrieve catalog; skipping run Tue Jun 12 16:31:23 CEST >>>> 2012 >>>> --- >>>> 2012-06-12 16:31:23,054 WARN [1130816144@qtp-844964870-6] >>>> [mortbay.log] EXCEPTION >>>> javax.net.ssl.SSLHandshakeException: Received fatal alert: decrypt_error >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192) >>>> at sun.security.ssl.Alerts.getSSLException(Alerts.java:154) >>>> at sun.security.ssl.SSLSocketImpl.recvAlert(SSLSocketImpl.java:1763) >>>> at sun.security.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:1006) >>>> at >>>> sun.security.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1190) >>>> at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1217) >>>> at >>>> sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:1201) >>>> at >>>> org.mortbay.jetty.security.SslSocketConnector$SslConnection.run(SslSocketConnector.java:675) >>>> at >>>> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) >>>> >>>> >>>> If I change the port: >>>> cat puppetdb.conf >>>> [main] >>>> server = puppetdb.vitry.exploit.anticorp >>>> port = 8080 >>>> -- >>>> date && puppet agent -t --noop ; date Tue Jun 12 16:36:58 CEST 2012 >>>> info: Retrieving plugin >>>> info: Loading facts in meminbytes >>>> info: Loading facts in facter_dot_d >>>> info: Loading facts in root_home >>>> info: Loading facts in puppet_vardir >>>> info: Loading facts in meminbytes >>>> info: Loading facts in facter_dot_d >>>> info: Loading facts in root_home >>>> info: Loading facts in puppet_vardir >>>> err: Could not retrieve catalog from remote server: Error 400 on >>>> SERVER: Failed to submit 'replace facts' command for >>>> lnk4c-cks01.vitry.exploit.anticorp to PuppetDB at >>>> puppetdb.vitry.exploit.anticorp:8080: SSL_connect returned=1 errno=0 >>>> state=SSLv2/v3 read server hello A: unknown protocol >>>> warning: Not using cache on failed catalog >>>> err: Could not retrieve catalog; skipping run >>>> Tue Jun 12 16:37:01 CEST 2012 >>>> -- >>>> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >>>> [mortbay.log] uri= >>>> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >>>> [mortbay.log] fields= >>>> 2012-06-12 16:36:57,836 DEBUG [1255344208@qtp-1992135396-2] >>>> [mortbay.log] EXCEPTION >>>> HttpException(400,null,null) >>>> at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:361) >>>> at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:212) at >>>> org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:404) >>>> at >>>> org.mortbay.jetty.bio.SocketConnector$Connection.run(SocketConnector.java:228) >>>> at >>>> org.mortbay.thread.QueuedThreadPool$PoolThread.run(QueuedThreadPool.java:582) >>>> 2012-06-12 16:36:57,844 DEBUG [1255344208@qtp-1992135396-2] >>>> [mortbay.log] BAD >>>> >>>> >>>> Any idea, what could cause this error? >>>> >>>> >>> Did you run a puppet agent on the PuppetDB server before installing the >>> PuppetDB package? In order to setup SSL correctly, this is currently >>> necessary. >>> >>> If you didn't, you can run a puppet agent to generate certificates and >>> then run `/usr/sbin/puppetdb-ssl-setup` to redo the SSL setup. This will >>> put your password in /etc/puppetdb/ssl/puppetdb_keystore_pw.txt, and you >>> can update your jetty.ini with that. >>> >>> Otherwise, please run these commands for some diagnostic output: >>> >>> keytool -list -keystore /etc/puppetdb/ssl/keystore.jks >>> keytool -list -keystore /etc/puppetdb/ssl/truststore.jks >>> >>> puppet cert --fingerprint ca <puppetdb hostname> >>> >>> This will give some output to ensure that the certificates being used by >>> PuppetDB are what we expect them to be. >>> >>> As an aside, none of this output contains the timestamp of the puppet >>> master (only the agent and PuppetDB). Can you also please ensure that's >>> also correct? >>> >>> >>>> >>>> Regards, >>>> JM >>>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To view this discussion on the web visit >>> https://groups.google.com/d/msg/puppet-users/-/goDGIrarBNwJ. >>> To post to this group, send email to [email protected]. >>> To unsubscribe from this group, send email to >>> [email protected]. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >> >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
