If you execute on the puppetmaster itself, the following command: puppet cert list -all | egrep -i 'zw129.my.net' is the certificate listed?
If not, I would say that's the first problem you need to resolve. Or am I missing something? -------------------------- Warron French On Thu, Jul 12, 2018 at 6:38 AM, Bret Wortman <[email protected]> wrote: > Here's how I recovered: > > # service puppetdb stop > # yum remove puppetdb > # cd /etc/puppetlabs > # mv puppetdb puppetdb.orig > # puppet apply puppetdb.pp > # service puppetserver stop && service puppetserver start > > And we appear to be better off now. Note that puppetdb.pp was a one-shot > manifest I wrote to just install puppetdb. I suspect that I somehow changed > the puppetserver certs after installing puppetdb originally, and reapplying > the manifest without removing the older /etc/puppetlabs/puppetdb directory > prevented it from generating new certs. > > > > On Wednesday, July 11, 2018 at 2:23:37 AM UTC-4, Thomas Müller wrote: >> >> >> >> Am Dienstag, 10. Juli 2018 20:04:03 UTC+2 schrieb Bret Wortman: >>> >>> I'm standing up a new replacement puppet server in place of the one we >>> trashed a few weeks ago, and am running into a new, interesting issue. >>> >>> I'm running puppet and puppetdb on the same server. Postgres is up and >>> running. When I try to run puppet agent -t on a random system, I get this: >>> >>> # puppet agent -t >>> Warning: Unable to fetch my node definition, but the agent run will >>> continue >>> : >>> Info: Retrieving pluginfacts >>> Info:Retrieving plugin >>> Info: Loading facts >>> Error: Could not retrieve catalog from remote server: Error 500 on >>> SERVER: Server Error: Failed to execute '/pdb/cmd/v1?checksum=<blah>&v >>> ersion=5&certname=zw129.my.net&command=replace_fact&producer-timestamp=<blah>' >>> on at least 1 of the following 'server_urls': https://puppet.my.net:8081 >>> Warning: Not using cache on failed catalog >>> Error: Could not retrieve catalog: skipping run >>> # >>> >>> >>> So I peeked in /var/log/puppetlabs/puppetserver/puppetserver.log and >>> found: >>> >>> ERROR [qtp6662638830-70] [c.p.h.c.i.PersistentSyncHttpClient] Error >>> executing http request >>> javax.net.ssl.SSLHandshakeException: General SSLEngine problem >>> : >>> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine >>> problem >>> : >>> Caused by: sun.security.validator.ValidatorException: PKIX path >>> validation failed: java.security.cert.CertPathValidatorException: Path >>> does not chain with any of the trust anchors >>> : >>> >>> So I'm thinking something in the certificate chain is wrong, but I'm >>> hesitant to dive in and start replacing certs without being pretty sure of >>> what I'm doing, lest we end up starting over yet again. Has anyone else >>> encountered anything like this? >>> >>> >>> >> Sounds like maybe multiple issues: >> >> * if an ENC is configured the ENC request maybe failed >> * puppetdb does not use certs that are signed by the puppetserver CA >> >> I would start by checking puppetdb certs. >> >> - Thomas >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit https://groups.google.com/d/ > msgid/puppet-users/d51e334f-17c5-4546-9b25-264d80885a74%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/d51e334f-17c5-4546-9b25-264d80885a74%40googlegroups.com?utm_medium=email&utm_source=footer> > . > > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAJdJdQn%2Bz-DMcm%2Bu3mzkZ0XnZTNCRySyE%3D0qXTbCzqyVj49twQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
