Am Dienstag, 10. Juli 2018 20:04:03 UTC+2 schrieb Bret Wortman: > > I'm standing up a new replacement puppet server in place of the one we > trashed a few weeks ago, and am running into a new, interesting issue. > > I'm running puppet and puppetdb on the same server. Postgres is up and > running. When I try to run puppet agent -t on a random system, I get this: > > # puppet agent -t > Warning: Unable to fetch my node definition, but the agent run will > continue > : > Info: Retrieving pluginfacts > Info:Retrieving plugin > Info: Loading facts > Error: Could not retrieve catalog from remote server: Error 500 on SERVER: > Server Error: Failed to execute > '/pdb/cmd/v1?checksum=<blah>&version=5&certname=zw129.my.net&command=replace_fact&producer-timestamp=<blah>' > > on at least 1 of the following 'server_urls': https://puppet.my.net:8081 > Warning: Not using cache on failed catalog > Error: Could not retrieve catalog: skipping run > # > > > So I peeked in /var/log/puppetlabs/puppetserver/puppetserver.log and found: > > ERROR [qtp6662638830-70] [c.p.h.c.i.PersistentSyncHttpClient] Error > executing http request > javax.net.ssl.SSLHandshakeException: General SSLEngine problem > : > Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem > : > Caused by: sun.security.validator.ValidatorException: PKIX path validation > failed: java.security.cert.CertPathValidatorException: Path does not chain > with any of the trust anchors > : > > So I'm thinking something in the certificate chain is wrong, but I'm > hesitant to dive in and start replacing certs without being pretty sure of > what I'm doing, lest we end up starting over yet again. Has anyone else > encountered anything like this? > > > Sounds like maybe multiple issues:
* if an ENC is configured the ENC request maybe failed * puppetdb does not use certs that are signed by the puppetserver CA I would start by checking puppetdb certs. - Thomas -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/36cbdda2-55b1-4f0a-ad3c-77d2f12ca390%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
