#I completely removed puppetdb: [root@puppetdb ~]# hostname -f; facter fqdn puppetdb.local puppetdb.local [root@puppetdb ~]# updatedb; locate puppetdb /etc/puppet/ssl/certificate_requests/puppetdb.local.pem /etc/puppet/ssl/certs/puppetdb.local.pem /etc/puppet/ssl/private_keys/puppetdb.local.pem /etc/puppet/ssl/public_keys/puppetdb.local.pem /var/lib/puppet/client_data/catalog/puppetdb.local.json [root@puppetdb ~]# yum list installed | grep puppetdb [root@puppetdb ~]# yum install puppetdb ... ---> Package puppetdb.noarch 0:1.3.0-1.el6 will be installed ... Installing : puppetdb-1.3.0-1.el6.noarch 1/1 Certificate was added to keystore Backing up /etc/puppetdb/conf.d/jetty.ini to /etc/puppetdb/conf.d/jetty.ini.bak.1368783179 before making changes Updated default settings from package installation for ssl-host in /etc/puppetdb/conf.d/jetty.ini. Updated default settings from package installation for ssl-port in /etc/puppetdb/conf.d/jetty.ini. Updated default settings from package installation for key-password in /etc/puppetdb/conf.d/jetty.ini. Updated default settings from package installation for trust-password in /etc/puppetdb/conf.d/jetty.ini. Updated default settings from package installation for keystore in /etc/puppetdb/conf.d/jetty.ini. Updated default settings from package installation for truststore in /etc/puppetdb/conf.d/jetty.ini. ... Complete! [root@puppetdb ~]# puppet-onetime Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Caching catalog for puppetdb.local Info: Applying configuration version '1368782769' Notice: /Stage[main]//Node[puppetdb.local]/Service[puppetdb]/ensure: ensure changed 'stopped' to 'running' Notice: Finished catalog run in 14.62 seconds [root@puppetdb ~]# cd /etc/puppetdb/ssl [root@puppetdb ssl]# cat pup* sw*********************VS [root@puppetdb ssl]# keytool -list -keystore keystore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb.local, May 17, 2013, PrivateKeyEntry, Certificate fingerprint (MD5): 99:E4:A8:6C:92:A4:5A:75:C5:D4:D2:6B:28:C4:22:99 [root@puppetdb ssl]# keytool -list -keystore truststore.jks Enter keystore password: Keystore type: JKS Keystore provider: SUN Your keystore contains 1 entry puppetdb ca, May 17, 2013, trustedCertEntry, Certificate fingerprint (MD5): E4:89:E7:73:91:BB:7B:A8:3C:9B:6C:3C:22:EE:F2:FF [root@puppetdb ssl]# openssl x509 -noout -in `puppet master --configprint hostcert` -fingerprint -md5 MD5 Fingerprint=99:E4:A8:6C:92:A4:5A:75:C5:D4:D2:6B:28:C4:22:99 [root@puppetdb ssl]# echo "GET /" | openssl s_client -connect 127.0.0.1:8081 -cert `puppet master --configprint hostcert` -key `puppet ma ster --configprint hostprivkey` -CAfile `puppet master --configprint cacert` CONNECTED(00000003) depth=1 CN = Puppet CA: puppet.local verify return:1 depth=0 CN = puppetdb.local verify return:1 --- Certificate chain 0 s:/CN=puppetdb.local i:/CN=Puppet CA: puppet.local --- Server certificate -----BEGIN CERTIFICATE----- MII 3zCCA0i AwIBAgI HjANBgkqh iG9w0BAQsF DApMScwJQ DVQQDDB5QdXBw ZXQ Q0E6IHB cHBldC5 YWh1bmEub 9jYWwwHhcN TMwNTE0MD 1MTExWhcNMTgw NTE MDc1MTE WjAgMR4 HAYDVQQDD VwdXBwZXRk i5rYWh1bm ubG9jYWwwggIi MA0 CSqGSIb DQEBAQU A4ICDwAwg IKAoICAQDK OJL7Jdky8 1BxE4a1zHaZFf /0O 3ilhWcD A65Q+31 YjjebllEY pTYIkVp6Wd xuaRXEQJy Jy3EyagpHeJqM RmB M6UgXs3 YCyhMI+ 8+LvN3M2o CQ0OXxETEY GvKMPBTcB WplBKg8RtOUwz 1D3 bPAYF9E R10RsCI 9hZxgwh58 Th8KGfxfdY hu1uUBwDi NFkdnC0fjy2l0 8EX fwKCg8q 50Y7KGG u1PrYbJej esqGroxZnL y2sd62AJi rT7u4kdUxhBmr qL8 M2qBghn LWRc1V9 vowjHv4xU R1E1T9H8o2 10DJq3IAn i11sj/LyIhpbk 0BD mwSlRUB +JGaGqL 5W1OUIc5N EWyHcWszuT 3I5bRT7V7 MdPzWo9k6q23i oSX WpM64mZ rUgsD5O mnVyUv4YP fB1O4NPB+3 ncpncbwt4 mXYQQOeOdd/UD /EU DWQnFJV Ie1KAvf coeduPWRI JkTp4yRFUa liAtbu9/8 GIKtLmBe8T4N5 cBJ 78pfyO9 4Lb2A0v co45dC/bO zOBZ3NvV09 iJ2IzGuB7 KCg7866k8UM96 666 Y6qyxsj ySJpvQI AQABo4GbM GYMCAGA1Ud QEB/wQWMB GCCsGAQUFBwMB [3/788] Bgg BgEFBQc AjAdBgN HQ4EFgQUW 4VTsSWkOQe kIX96CQez 9Pd8wDAYDVR0T AQH BAIwADA Bglghkg hvhCAQ0EK YoUHVwcGV0 FJ1YnkvT3 lblNTTCBJbnRl cm5 bCBDZXJ aWZpY2F ZTAOBgNVH 8BAf8EBAMC aAwDQYJKo IhvcNAQELBQAD gYE ryhsV6e DfwpkNw 8lXgwnEOf cNWzQwPwZV 3bzPQDL+o 14/fhtHp1DQLP bQb Q7WSFZI 9UZM6ak Q72RmbYlr miWHHpg5JO M6l9woo8E LsnyEmtFsXSWN haW 5sIYbst 1BQULKU QFFONfycs rWCmzU+7tV 0vCavQ -----END CERTIFICATE----- subject=/CN=puppetdb.local issuer=/CN=Puppet CA: puppet.local --- Acceptable client certificate CA names /CN=Puppet CA: puppet.local --- SSL handshake has read 2020 bytes and written 2397 bytes --- New, TLSv1/SSLv3, Cipher is DHE-RSA-AES256-SHA Server public key is 4096 bit Secure Renegotiation IS supported Compression: NONE Expansion: NONE SSL-Session: Protocol : TLSv1 Cipher : DHE-RSA-AES256-SHA Session-ID: 5195FC31D5404FD99AF3967EFF0CD687612DCD35E4E6A3D1327FF56A5B62BE11 Session-ID-ctx: Master-Key: 067F4B13FF0E6CAB11319678E769AA8CD56911C8A15E*********82B5341C4B3DFE6007C8912B4E071D7CD74C4CD8908 Key-Arg : None Krb5 Principal: None PSK identity: None PSK identity hint: None Start Time: 1368783921 Timeout : 300 (sec) Verify return code: 0 (ok) --- DONE # NOW ON THE MASTER [root@gaia puppet]# cd /etc/puppet [root@gaia puppet]# mv routes.yaml.new routes.yaml [root@gaia puppet]# cat routes.yaml --- master: facts: terminus: puppetdb cache: yaml [root@gaia puppet]# cat /etc/puppet/puppet.conf [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = /etc/puppet/ssl [agent] server = puppet.local classfile = $vardir/classes.txt localconfig = $vardir/localconfig waitforcert = 120 environment = production [master] localcacert = /etc/puppet/ssl/certs/ca.pem hostcrl = /etc/puppet/ssl/crl.pem default_file_terminus = rest logdir = /var/lib/puppet/log certdir = /etc/puppet/ssl/certs requestdir = /etc/puppet/ssl/certificate_requests passfile = /etc/puppet/ssl/private/password node_terminus = plain pluginsource = puppet://puppet/plugins hostprivkey = /etc/puppet/ssl/private_keys/puppet.local.pem hiera_config = /etc/puppet/hiera.yaml factpath = /var/lib/puppet/lib/facter:/var/lib/puppet/facts filetimeout = 15 facts_terminus = yaml name = master httplog = /var/lib/puppet/log/http.log confdir = /etc/puppet ssldir = /etc/puppet/ssl privatekeydir = /etc/puppet/ssl/private_keys libdir = /var/lib/puppet/lib node_cache_terminus = write_only_yaml hostcsr = /etc/puppet/ssl/csr_puppet.local.pem hostpubkey = /etc/puppet/ssl/public_keys/puppet.local.pem catalog_terminus = compiler certificate_expire_warning = 5184000 inventory_terminus = yaml statedir = /var/lib/puppet/state vardir = /var/lib/puppet publickeydir = /etc/puppet/ssl/public_keys rundir = /var/lib/puppet/run privatedir = /etc/puppet/ssl/private route_file = /etc/puppet/routes.yaml plugindest = /var/lib/puppet/lib hostcert = /etc/puppet/ssl/certs/puppet.local.pem data_binding_terminus = hiera classfile = /var/lib/puppet/state/classes.txt clientbucketdir = /var/lib/puppet/clientbucket report_port = 8140 lastrunfile = /var/lib/puppet/state/last_run_summary.yaml ca_port = 8140 graphdir = /var/lib/puppet/state/graphs agent_catalog_run_lockfile = /var/lib/puppet/state/agent_catalog_run.lock clientyamldir = /var/lib/puppet/client_yaml splaylimit = 1800 resourcefile = /var/lib/puppet/state/resources.txt configtimeout = 120 inventory_server = puppet runinterval = 1800 lastrunreport = /var/lib/puppet/state/last_run_report.yaml agent_disabled_lockfile = /var/lib/puppet/state/agent_disabled.lock localconfig = /var/lib/puppet/state/localconfig client_datadir = /var/lib/puppet/client_data report_server = puppet inventory_port = 8140 ca_server = puppet node_name_value = puppet.local waitforcert = 120 puppetdlog = /var/lib/puppet/log/puppetd.log statefile = /var/lib/puppet/state/state.yaml serial = /etc/puppet/ssl/ca/serial ca_name = Puppet CA: puppet.local cakey = /etc/puppet/ssl/ca/ca_key.pem caprivatedir = /etc/puppet/ssl/ca/private capass = /etc/puppet/ssl/ca/private/ca.pass ca_ttl = 157680000 cert_inventory = /etc/puppet/ssl/ca/inventory.txt cadir = /etc/puppet/ssl/ca capub = /etc/puppet/ssl/ca/ca_pub.pem csrdir = /etc/puppet/ssl/ca/requests autosign = /etc/puppet/autosign.conf cacert = /etc/puppet/ssl/ca/ca_crt.pem cacrl = /etc/puppet/ssl/ca/ca_crl.pem signeddir = /etc/puppet/ssl/ca/signed fileserverconfig = /etc/puppet/fileserver.conf manifest = /etc/puppet/manifests/site.pp # Production modulepath = /etc/puppet/modules rest_authconfig = /etc/puppet/auth.conf yamldir = /var/lib/puppet/yaml reportdir = /var/lib/puppet/reports masterlog = /var/lib/puppet/log/puppetmaster.log server_datadir = /var/lib/puppet/server_data manifestdir = /etc/puppet/manifests masterhttplog = /var/lib/puppet/log/masterhttp.log bucketdir = /var/lib/puppet/bucket templatedir = /var/lib/puppet/templates tagmap = /etc/puppet/tagmail.conf pidfile = /var/run/puppet/master.pid config = /etc/puppet/puppet.conf rrddir = /var/lib/puppet/rrd rrdinterval = 1800 railslog = /var/lib/puppet/log/rails.log devicedir = /var/lib/puppet/devices deviceconfig = /etc/puppet/device.conf archive_file_server = puppet module_working_dir = /var/lib/puppet/puppet-module #storeconfigs_backend = active_record #dblocation = /var/lib/puppet/state/clientconfigs.sqlite3 storeconfigs = true storeconfigs_backend = puppetdb [dev] modulepath = /etc/puppet/modules-dev [root@gaia puppet]# /etc/init.d/puppetmaster restart Stopping puppetmaster: [ OK ] Starting puppetmaster: [ OK ] [root@gaia puppet]# puppet-onetime Info: Retrieving plugin Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/puppet_vardir.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/root_home.rb Info: Loading facts in /etc/puppet/modules/stdlib/lib/facter/pe_version.rb Info: Loading facts in /var/lib/puppet/lib/facter/puppet_vardir.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Loading facts in /var/lib/puppet/lib/facter/pe_version.rb Error: Could not retrieve catalog from remote server: Error 400 on SERVER: Failed to submit 'replace facts' command for gaia.local to PuppetDB at puppetdb.local:8081: SSL_connect SYSCALL returned=5 errno=0 state=SSLv3 read finished A Warning: Not using cache on failed catalog Error: Could not retrieve catalog; skipping run