progetti:cloud-areapd:ced-c:operations:out_of_sync_puppet_node_ssl_errors
Table of Contents
Re-sync a puppet node due to SSL errors
It might happen you see a node has gone out of sync and, issuing a puppet agent -t
from inside the node you get errors:
root@cld-blu-13 ~ # puppet agent -t Notice: Ignoring --listen on onetime run Warning: Unable to fetch my node definition, but the agent run will continue: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Info: Retrieving pluginfacts Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://cld-foreman.cloud.pd.infn.it/pluginfacts: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Info: Retrieving plugin Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://cld-foreman.cloud.pd.infn.it/plugins: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Info: Loading facts Error: NetworkManager is not running. Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked
As the last error say the client certificate has been revoked on the server.
To solve the issue:
On the client
- delete the directory
/var/lib/puppet/ssl
- issue another
puppet agent -t
You will see a new client certificate will be generated:root@cld-blu-13 ~ # puppet agent -t Info: Creating a new SSL key for cld-blu-13.cloud.pd.infn.it Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for cld-blu-13.cloud.pd.infn.it Info: Certificate Request fingerprint (SHA256): D4:A6:AB:5B:2B:64:C6:05:09:DB:FF:66:0D:B8:D5:67:08:29:BD:BE:B6:EA:1D:8E:32:DC:1F:95:8F:C4:12:B5 Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled
On the server
- issue
puppet cert sign cld-blu-13.cloud.pd.infn.it
On the client
- issue once again
puppet agent -t
You will see the client syncs with the serverroot@cld-blu-13 ~ # puppet agent -t Info: Caching certificate for cld-blu-13.cloud.pd.infn.it Info: Caching certificate_revocation_list for ca Info: Caching certificate for cld-blu-13.cloud.pd.infn.it Notice: Ignoring --listen on onetime run Info: Retrieving pluginfacts Info: Retrieving plugin Info: Loading facts Error: NetworkManager is not running. Info: Caching catalog for cld-blu-13.cloud.pd.infn.it Info: Applying configuration version '1462266065' Notice: Finished catalog run in 13.63 seconds
progetti/cloud-areapd/ced-c/operations/out_of_sync_puppet_node_ssl_errors.txt · Last modified: 2016/05/03 09:18 by mazzon@infn.it