Right, so here is lots of interesting things now !
The puppetmaster is resolved via /etc/hosts and is set with server= in
the [main] section.
Trying to connect with the openssl command from a working server is just
fine of course. From one of the broken servers the following error shows
up:
I have a problem on 3 out of ~40 servers that gives the following error:
err: Could not request certificate: SSL_connect returned=1 errno=0
state=unknown state: sslv3 alert handshake failure
From previous posts, I made sure that SSLVerifyClient is set to optional.
I also cleared
Hi,
- check time on client and server
- check ruby version on the 3 server which fail
- check SSLDir configuration in /etc/puppet/puppet.conf on the 3 systems.
Martin
On 06.07.2012, at 09:57, Martinus wrote:
I have a problem on 3 out of ~40 servers that gives the following error:
err:
Martin,
Right.
Time is good (NTP) on all 3 clients and server. And I double checked just
now with ntpq -p (largest offset was -20). There are different time zones,
but then so has the working systems different time zones.
Ruby version on all 3 clients and server: ruby 1.8.7 (2011-06-30
On puppet master:
puppet cert --clean fqdn
on client:
rm -fr /var/lib/puppet/ssl/*
puppet agent --test
check on master for signing request:
puppet cert --list
On 06.07.2012, at 10:25, Martinus wrote:
Martin,
Right.
Time is good (NTP) on all 3 clients and server. And I double checked
There is nothing to clean, as puppet cert --list or puppet cert --list
--all does not have an entry for those 3 particular servers.
Deleting the client side ssl* makes no difference either. The client will
recreate the ssl (good) and the same error pops up, without anything
showing up on the
On 06.07.2012, at 11:09, Martinus wrote:
There is nothing to clean, as puppet cert --list or puppet cert --list
--all does not have an entry for those 3 particular servers.
Deleting the client side ssl* makes no difference either. The client will
recreate the ssl (good) and the same
Martin,
No, the clients fail again with exactly the same error once I switch apache
back on. Your configuration is slightly different than what I have:
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
Now lets see what happens if I use your example ...
Nope,
As an additional note, when I stop apache and start puppetmaster with its
inbuilt web server, then these 3 clients are happy.
Ah, that triggered a memory!
http://projects.puppetlabs.com/projects/1/wiki/Using_Passenger has an
example Apache config stanza for the puppetmaster virtualhost. In it
Martin,
Everything is worth a try !
But it did not work :(
I commented out that line (SSLCARevocationFile) and restarted apache. No
change on the working servers, good. No change on the broken servers, bad.
Martinus.
On Friday, 6 July 2012 11:02:10 UTC+1, Matthew Burgess wrote:
As an
It would also help if I call people by their right name, sorry Matt :)
On Friday, 6 July 2012 11:02:10 UTC+1, Matthew Burgess wrote:
As an additional note, when I stop apache and start puppetmaster with
its
inbuilt web server, then these 3 clients are happy.
Ah, that triggered a
From http://projects.puppetlabs.com/projects/1/wiki/Certificates_And_Security
Check certificate and validity:
openssl x509 -text -noout -in /var/lib/puppet/ssl/certs/hostname.tld.pem
How do you specifiy the puppetmaster on the clients?
Do you have a server= line in puppet.conf?
How do the
I've setup a puppet load-balanced solution based on these
instructions:
http://projects.puppetlabs.com/projects/puppet/wiki/Puppet_Scalability
I have 4 puppetmaster instances running on my puppet server and an
Apache instance running on that server listening on port 8140 and
round-robining the
I've found that there are three major pieces that can be going wrong in this
case:
1) Getting the ca.pem file to the client.
2) Getting the Certificate sign request to the server.
3) Getting the signed certificate to the client.
Test them like this:
To test 1) Grab /var/lib/puppet/ssl/ca.pem
14 matches
Mail list logo
