Slightly OT here - shouldn't setting ca_name be enough for --compile to not fail ? Why does it need the --certname param ?
On Mon, Apr 1, 2013 at 2:03 PM, Mohit Chawla <[email protected]>wrote: > Hi, > > Got it working by passing --certname param (the ca server hostname, > instead of this master). > > > > On Mon, Apr 1, 2013 at 1:19 PM, Mohit Chawla < > [email protected]> wrote: > >> Hi Ken, >> >> Got a trace from running puppetdb-foreground --debug - >> https://gist.github.com/alcy/5283661. Weird that this doesn't happen >> during standard puppet runs as opposed to doing a --compile. Here's the >> puppet trace when doing --compile - https://gist.github.com/alcy/5283712. >> >> >> >> >> >> On Fri, Mar 29, 2013 at 3:14 AM, Ken Barber <[email protected]> wrote: >> >>> Yeah, it does seem very odd though ... if agent works - and the master >>> is able to talk to PuppetDB no problem, then its weird that running >>> puppet master on the command line doesn't seem to work. >>> >>> What is strange is that the SSL error is very very unspecific: >>> >>> Failed to submit 'replace catalog' command for foo.com to PuppetDB at >>> puppetdb:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read >>> finished A >>> >>> It doesn't speak of a particular problem, ie. remote host doesn't >>> match certificate, CA not verified etc. etc. it just says 'read >>> finished A'. I think this is significant, the last time I've seen it >>> is when there was an SSL bug, and the transport is cut short - which >>> is why I wanted to see what you had in your logs. >>> >>> If you try running the command with --debug --trace do you get any >>> more information? If you tcpdump the connection to the puppetdb server >>> do you see the TCP packets hit the server on port 8081? Try running >>> puppetdb-foreground --debug on your puppetdb server and see what >>> happens when you attempt to compile like this. You'd obviously want to >>> try these things when the other activity on the server is disabled >>> :-). >>> >>> ken. >>> >>> On Thu, Mar 28, 2013 at 8:54 PM, Mohit Chawla >>> <[email protected]> wrote: >>> > Hi, >>> > >>> > Not at the workstation right now, but regarding puppet.conf I cant >>> > think of any peculiar settings apart from this being one of the two >>> > puppet masters apart from a separate ca server (we took care of having >>> > the ca server's certs being available at these masters). And afaik >>> > right now, there wasn't any ~/.puppet dir for root, however I need to >>> > confirm this. >>> > >>> > On Thu, Mar 28, 2013 at 7:07 PM, Ken Barber <[email protected]> >>> wrote: >>> >> I'm just trying to run up the same environment so I can try to >>> >> replicate it, as yet I can't replicate it on the newer environment. >>> >> >>> >> What does your puppet.conf look like on the host you are trying to run >>> >> puppet master --compile btw? I presume you are trying to run the >>> >> command as root, is there a ~/.puppet directory for that user at all? >>> >> >>> >> ken. >>> >> >>> >> On Thu, Mar 28, 2013 at 1:17 PM, Mohit Chawla >>> >> <[email protected]> wrote: >>> >>> Hello Ken, >>> >>> >>> >>> Thanks for the response. >>> >>> >>> >>> On Thu, Mar 28, 2013 at 6:42 PM, Ken Barber <[email protected]> >>> wrote: >>> >>>> So I have some questions, as the error could mean a number of >>> things: >>> >>>> >>> >>>> What version of PuppetDB are you running? And what exact version of >>> >>>> Java is it using? >>> >>> >>> >>> puppetdb version is puppetdb-1.0.4-1.el6.noarch. >>> >>> >>> >>> $ java -version >>> >>> java version "1.6.0_24" >>> >>> OpenJDK Runtime Environment (IcedTea6 1.11.5) >>> (rhel-1.50.1.11.5.el6_3-x86_64) >>> >>> OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode) >>> >>> >>> >>>> >>> >>>> Can you take a look at puppetdb.log and tell me if you see any >>> >>>> meaningful error messages? >>> >>> >>> >>> I took a look, no error messages, only info messages. >>> >>>> >>> >>>> Without trying to compile a catalog in this manner - are you getting >>> >>>> any trouble with replace facts/replace catalogs generally? ie. Just >>> >>>> trying to running puppet agent -t for example? >>> >>> >>> >>> Nope, those runs are working fine. >>> >>> >>> >>>> >>> >>>> Have you tried re-initialisation your SSL setup with >>> >>>> puppetdb-ssl-setup at all yet? >>> >>> >>> >>> Yes, and confirmed the validity of certificates and their >>> fingerprints >>> >>> in the truststore and master ca. >>> >>> >>> >>>> >>> >>>> Does the hostname you have specified in /etc/puppet/puppetdb.conf to >>> >>>> talk to your puppetdb server match the SSL certificate assigned to >>> the >>> >>>> puppetdb host itself? >>> >>> >>> >>> Yes. >>> >>> >>> >>>> >>> >>>> On Thu, Mar 28, 2013 at 12:55 PM, Mohit Chawla >>> >>>> <[email protected]> wrote: >>> >>>>> Forgot mentioning the env details: >>> >>>>> >>> >>>>> [user@puppetmaster ~]# rpm -qa | grep puppet >>> >>>>> puppetlabs-release-6-6.noarch >>> >>>>> puppetdb-terminus-1.0.4-1.el6.noarch >>> >>>>> mcollective-puppet-agent-1.4.1-1.noarch >>> >>>>> puppet-2.7.20-1.el6.noarch >>> >>>>> hiera-puppet-1.0.0-1.el6.noarch >>> >>>>> puppet-server-2.7.20-1.el6.noarch >>> >>>>> mcollective-puppet-common-1.4.1-1.noarch >>> >>>>> >>> >>>>> [user@puppetmaster ~]# cat /etc/centos-release >>> >>>>> CentOS release 6.3 (Final) >>> >>>>> >>> >>>>> On Thu, Mar 28, 2013 at 6:23 PM, Mohit Chawla >>> >>>>> <[email protected]> wrote: >>> >>>>>> Hello, >>> >>>>>> >>> >>>>>> Stuck in a weird place here. I am trying to do 'puppet master >>> >>>>>> --compile foo.com', however I am not getting the catalog json. >>> So far, >>> >>>>>> I have noticed two sort of outputs: >>> >>>>>> >>> >>>>>> 1) The above command results in : >>> >>>>>> notice: Compiled catalog for foo.com in environment production >>> in 10.60 seconds >>> >>>>>> Failed to submit 'replace catalog' command for foo.com to >>> PuppetDB at >>> >>>>>> puppetdb:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 >>> read >>> >>>>>> finished A >>> >>>>>> >>> >>>>>> Notice that I don't actually get any json & of course, the ssl >>> error. >>> >>>>>> >>> >>>>>> 2) Other output: >>> >>>>>> Failed when searching for node bar.com: Could not retrieve facts >>> for >>> >>>>>> bar.com: Failed to find facts from PuppetDB at puppetdb:8081: >>> >>>>>> SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A >>> >>>>>> >>> >>>>>> Disabling storeconfig allows me to get a proper catalog json. >>> >>>>>> >>> >>>>>> Regarding the ssl errors, we've established the correctness of >>> >>>>>> certificates in the relevant places - and done tests using curl >>> and >>> >>>>>> using ruby net/http. Here's a gist of for the curl and ruby >>> snippet. >>> >>>>>> https://gist.github.com/alcy/5262866 >>> >>>>>> >>> >>>>>> Any suggestions what could be happening here ? Perhaps in >>> >>>>>> indirector/facts/puppetdb.rb, http_get doesn't get the correct >>> ssl >>> >>>>>> params or something ? >>> >>>>> >>> >>>>> -- >>> >>>>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> >>>>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >>>>> To post to this group, send email to [email protected] >>> . >>> >>>>> Visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>>>> >>> >>>>> >>> >>>> >>> >>>> -- >>> >>>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> >>>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >>>> To post to this group, send email to [email protected]. >>> >>>> Visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>>> >>> >>>> >>> >>> >>> >>> -- >>> >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> >>> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >>> To post to this group, send email to [email protected]. >>> >>> Visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >>> >>> >> >>> >> -- >>> >> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> >> To unsubscribe from this group and stop receiving emails from it, >>> send an email to [email protected]. >>> >> To post to this group, send email to [email protected]. >>> >> Visit this group at http://groups.google.com/group/puppet-users?hl=en >>> . >>> >> For more options, visit https://groups.google.com/groups/opt_out. >>> >> >>> >> >>> > >>> > -- >>> > You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> > To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> > To post to this group, send email to [email protected]. >>> > Visit this group at http://groups.google.com/group/puppet-users?hl=en. >>> > For more options, visit https://groups.google.com/groups/opt_out. >>> > >>> > >>> >>> -- >>> You received this message because you are subscribed to the Google >>> Groups "Puppet Users" group. >>> To unsubscribe from this group and stop receiving emails from it, send >>> an email to [email protected]. >>> To post to this group, send email to [email protected]. >>> Visit this group at http://groups.google.com/group/puppet-users?hl=en. >>> For more options, visit https://groups.google.com/groups/opt_out. >>> >>> >>> >> > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
