Ask Your Question
0

Error: Failed to submit 'deactivate node' command

asked 2015-05-19 22:14:50 -0500

vincentw8460 gravatar image

Whenever I try to deactivate a node with puppet node deactivate, I get an error:

[root@puppet-sys puppet]# sudo puppet node deactivate sys-docs
Error: Failed to submit 'deactivate node' command for sys-docs to PuppetDB at puppet-sys.mycompany.com:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A
Error: Try 'puppet help node deactivate' for usage

System Info:

  • Scientific Linux 6.6
  • Puppet version 3.7.5
  • PuppetDB version 2.3.4
  • Puppetboard version 0.0.4

Puppet and PuppetDB are on the same host while Puppetboard is on a different one.

All regular function of puppet seem to work. Runs execute successfully, puppetdb is reporting things to puppetboard, I can use puppet cert clean to clean the host certs, etc.

I've been Googling around for hours, but I've found nothing about this.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2015-05-20 23:10:57 -0500

vincentw8460 gravatar image

updated 2015-05-23 13:44:34 -0500

I finally figured out what this was. In my puppetmaster's

 /etc/puppet.conf

file, I needed to declare

certname = puppet-sys.example.com

in the [main], [master], and [agent] sections.

We do not use FQDN's in our puppet environment due to weird DNS stuff. So, we use the shortnames only. PuppetDB was not able to take commands from the puppetmaster due to the the fact that the puppetmaster's certname was not the FQDN of the puppetmaster. This was a really weird error.

Basically, the puppetmaster was presenting two certs; the FQDN and the shortname. I had the shortname set as the certname in

/etc/puppet/puppet.conf

This was fine for the clients, but PuppetDB didn't like it and I could not use puppet node commands to operate on the DB.

This also had to with the fact that my puppetmaster's agent and master cert did not match. I made sure that they had the same certs in /etc/puppet/ssl and /var/lib/puppet/ssl.

My final puppet.conf ended up like this:

[main]
# The Puppet log directory.
# The default value is '$vardir/log'.
logdir = /var/log/puppet

# Where Puppet PID files are kept.
# The default value is '$vardir/run'.
rundir = /var/run/puppet

# Where SSL certificates are kept.
# The default value is '$confdir/ssl'.
ssldir = $vardir/ssl

# set certname in all sections 
# since our certnames aren't fqdn
# (needs to be FQDN)
certname = puppet-sys.example.com

# DNS alt names
dns_alt_names = puppet-sys,puppet-sys.example.com

# Set server address (needs to be FQDN)
server = puppet-sys.example.com

[master]
# Set reports options
reports = store,puppetdb
storeconfigs = true
storeconfigs_backend = puppetdb

# set certname in all sections 
# since our certnames aren't fqdn
# (needs to be FQDN)
certname = puppet-sys.example.com

# Set SSL options
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
ssldir=/etc/puppet/ssl

[agent]
# The file in which puppetd stores a list of the classes
# associated with the retrieved configuratiion.  Can be loaded in
# the separate ``puppet`` executable using the ``--loadclasses``
# option.
# The default value is '$confdir/classes.txt'.
classfile = $vardir/classes.txt

# Where puppetd caches the local configuration.  An
# extension indicating the cache format is added automatically.
# The default value is '$confdir/localconfig'.
localconfig = $vardir/localconfig

# Set SSL dir
ssldir=$vardir/ssl

# Set server address (needs to be FQDN)
server = puppet-sys.example.com

# set certname in all sections 
# since our certnames aren't fqdn
# (needs to be FQDN)
certname = puppet-sys.example.com

# Set report to true
report = true
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2015-05-19 22:14:50 -0500

Seen: 450 times

Last updated: May 23 '15