ahpook

I feel your pain. SSL is tough and is probably the number one stumbling block for new users getting Puppet working in their environment. Hopefully this answer helps reduce frustration and get you up and running. The good news is, once it's set up right, you won't have to fiddle with it any more.

First, make sure the problem you're having is actually an SSL problem. Almost all of the SSL-related error messages on the client start with the string SSL_connect and then the error raised up by the underlying crypto libraries. General networking errors will not have this string, so normal network troubleshooting methodology applies; specifically, Connection refused - connect(2) means a TCP connection attempt got a RST packet indicating a firewall or puppet master not running, and getaddrinfo: nodename nor servname provided, or not known means the server's hostname (the value of puppet agent --configprint server) was not resolvable in DNS/hosts.

Next, assuming you do have an SSL_connect style error, it

ahpook

#!/bin/zsh

say "hi gunnar"
say "how are you today?"
echo -n "your answer? "
read feeling_answer
say "i am glad that you are $feeling_answer"
say "do you want food?"
echo -n "your answer? "
read food_answer

ahpook

file { "whatever":
    ensure  => present,
    require => $operatingsystem ? {
        linux   => Package["needthis"],
        solaris => Package["somethingelse"],
        default => undef,
    }
}

ahpook

ls -l /puppet/environments
lrwxrwxrwx 1 root issre 46 Jun 14 22:25 ic -> /puppet/checkouts/ic/tags/12.58.1
lrwxrwxrwx 1 root issre 46 Jun 14 22:25 ic_qa -> /puppet/checkouts/ic/tags/12.59.0
lrwxrwxrwx 1 root issre 39 Jun 14 17:09 ic_trunk -> /puppet/checkouts/ic/trunk

## /etc/puppet/puppet.conf
[master]
modulepath = /puppet/environments/$environment/modules
manifest = /puppet/environments/$environment/manifests/site.pp

ahpook

notice: /File[/var/lib/puppet/lib/awesome_print.rb]/ensure: defined content as '{md5}95f5a0ae3b1ccce7f52aaa78333a4710'
debug: /File[/var/lib/puppet/lib/awesome_print.rb]: The container /var/lib/puppet/lib will propagate my refresh event
notice: /File[/var/lib/puppet/lib/awesome_print]/ensure: created
debug: /File[/var/lib/puppet/lib/awesome_print]: The container /var/lib/puppet/lib will propagate my refresh event
notice: /File[/var/lib/puppet/lib/awesome_print/ext]/ensure: created
debug: /File[/var/lib/puppet/lib/awesome_print/ext]: The container /var/lib/puppet/lib will propagate my refresh event
notice: /File[/var/lib/puppet/lib/awesome_print/ext/active_record.rb]/ensure: defined content as '{md5}8a025cc4c18f1a5f295ce25c95df1b77'
debug: /File[/var/lib/puppet/lib/awesome_print/ext/active_record.rb]: The container /var/lib/puppet/lib will propagate my refresh event
notice: /File[/var/lib/puppet/lib/awesome_print/inspector.rb]/ensure: defined content as '{md5}3bc952154e018460b7fe4c61e980d25c'
debug: /File[/var

ahpook

  764  git branch 4426-regexp-nodes origin/master
  765  git checkout 4426-regexp-nodes
  766  git log regexp_nodes_environments 
  767  git merge c065e2e0892552fe92c2bd8a665547238fb96a40
  768  git merge 338fbb248ae11c3aa95768687d829ff1d6776c0f
  769  git merge d679dc58f3cf235245f478edec446c64afd48693
  770  git status
  771  git push me 4426-regexp-nodes

ended up with https://github.com/ahpook/puppet/commits/4426-regexp-nodes

ahpook

require File.join(File.dirname(__FILE__), 'config', 'environment.rb')

# disable :run
run Helios

ahpook

# for some reason facter takes the raw memorysize and reports it as
# a formatted string, which is useless for calculation
#

Facter.add("memorysize_raw") do
    confine :kernel => :linux
    setcode do
        size = 0
        File.readlines("/proc/meminfo").each do |l|
            size = $1.to_f if l =~ /^MemTotal:\s+(\d+)/

ahpook

# Sinatra 1.2.6 doesn't appear to properly handle multiple values for a form parameter. 'params[:my_param_name]'
# only returns the last one supplied. I've verified that Chrome is sending the full list, and the list appears in 
# the rack.request.query_string variable (but not the rack.request.params variable).

# This comes straight outta rack so it's not actually sinatra's fault. It's also undocumented magic in the 
# rack/utils.rb#normalize_params method.

require 'rubygems'
require 'sinatra'

ahpook

The problem

There's enough trouble with puppet's ssl model (mandatory client certs) that people go and do odd things to get around it. The primary problem is that for lab/preproduction environments, if you reinstall machines frequently, you lose access to the private key that generated the original cert but (absent some puppet cert --clean [node] operation) the cert still exists, leading to the dreaded Retrieved certificate doesn't match private key error.

A solution

Generate a single client certificate which all your nodes use, and have the master determine node names from facter rather than the SSL DN. This way you can re-install nodes with impunity and as long as your bootstrap plops down the correct config and the cert+key, you don't have any more SSL issues.

The caveats

If you have autosign turned on, this change represents a shift in security tradeoffs: you can turn off autosign and therefore more tightly control which clients can talk to your server because they need to have your clie