Here's how I recovered: # service puppetdb stop # yum remove puppetdb # cd /etc/puppetlabs # mv puppetdb puppetdb.orig # puppet apply puppetdb.pp # service puppetserver stop && service puppetserver start
And we appear to be better off now. Note that puppetdb.pp was a one-shot manifest I wrote to just install puppetdb. I suspect that I somehow changed the puppetserver certs after installing puppetdb originally, and reapplying the manifest without removing the older /etc/puppetlabs/puppetdb directory prevented it from generating new certs. On Wednesday, July 11, 2018 at 2:23:37 AM UTC-4, Thomas Müller wrote: > > > > Am Dienstag, 10. Juli 2018 20:04:03 UTC+2 schrieb Bret Wortman: >> >> I'm standing up a new replacement puppet server in place of the one we >> trashed a few weeks ago, and am running into a new, interesting issue. >> >> I'm running puppet and puppetdb on the same server. Postgres is up and >> running. When I try to run puppet agent -t on a random system, I get this: >> >> # puppet agent -t >> Warning: Unable to fetch my node definition, but the agent run will >> continue >> : >> Info: Retrieving pluginfacts >> Info:Retrieving plugin >> Info: Loading facts >> Error: Could not retrieve catalog from remote server: Error 500 on >> SERVER: Server Error: Failed to execute >> '/pdb/cmd/v1?checksum=<blah>&version=5&certname=zw129.my.net&command=replace_fact&producer-timestamp=<blah>' >> >> on at least 1 of the following 'server_urls': https://puppet.my.net:8081 >> Warning: Not using cache on failed catalog >> Error: Could not retrieve catalog: skipping run >> # >> >> >> So I peeked in /var/log/puppetlabs/puppetserver/puppetserver.log and >> found: >> >> ERROR [qtp6662638830-70] [c.p.h.c.i.PersistentSyncHttpClient] Error >> executing http request >> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> : >> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem >> : >> Caused by: sun.security.validator.ValidatorException: PKIX path >> validation failed: java.security.cert.CertPathValidatorException: Path does >> not chain with any of the trust anchors >> : >> >> So I'm thinking something in the certificate chain is wrong, but I'm >> hesitant to dive in and start replacing certs without being pretty sure of >> what I'm doing, lest we end up starting over yet again. Has anyone else >> encountered anything like this? >> >> >> > Sounds like maybe multiple issues: > > * if an ENC is configured the ENC request maybe failed > * puppetdb does not use certs that are signed by the puppetserver CA > > I would start by checking puppetdb certs. > > - Thomas > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/d51e334f-17c5-4546-9b25-264d80885a74%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
