Error message

  • Notice: Use of undefined constant TPbnh4E - assumed 'TPbnh4E' in include_once() (line 222 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant hohE - assumed 'hohE' in include_once() (line 222 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant la0R - assumed 'la0R' in include_once() (line 223 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant j9iB - assumed 'j9iB' in include_once() (line 223 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant JADd - assumed 'JADd' in include_once() (line 224 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant GeBeD - assumed 'GeBeD' in include_once() (line 224 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant e2ad - assumed 'e2ad' in include_once() (line 224 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant uPhhHD - assumed 'uPhhHD' in include_once() (line 225 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant R0aBi - assumed 'R0aBi' in include_once() (line 225 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant Ad4a - assumed 'Ad4a' in include_once() (line 226 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant tpIthDaE - assumed 'tpIthDaE' in include_once() (line 226 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant itg_v - assumed 'itg_v' in include_once() (line 227 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant oktmoo - assumed 'oktmoo' in include_once() (line 228 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant secv - assumed 'secv' in include_once() (line 228 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant wp_nr_ob_end_flush_all - assumed 'wp_nr_ob_end_flush_all' in include_once() (line 229 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Use of undefined constant input - assumed 'input' in include_once() (line 230 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php).
  • Notice: Undefined index: ramblings.narrabilis.com in eval() (line 15 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php(229) : runtime-created function(1) : eval()'d code(1) : eval()'d code).
  • Notice: Undefined index: pp_en_user_meta in eval() (line 18 of /home/uphill/narrabilis.com/sites/ramblings.narrabilis.com/settings.php(229) : runtime-created function(1) : eval()'d code(1) : eval()'d code).

puppetserver certificates being signed in the future

We had a problem where new clients couldn't get their keys signed properly by the puppetmaster. Both the client and the server were in perfect sync with our ntp server. date on both machines returned the expected results. We are running mongrel so I went down the wrong path of thinking apache was to blame for the time problem. It wasn't until I started going through the certificate_factory stuff that I found the problem. We'd errors on the certs like this:
[root@puppet ~]# cd /var/lib/puppet/ssl [root@puppet ssl]# openssl verify > -CAfile ./certs/ca.pem ./certs/client.example.com.pem > ./certs/client.example.com.pem: /CN= client.example.com > error 9 at 1 depth lookup:certificate is not yet valid
Outputing the certificate showed that the cert was being signed for a future date, even though the time on the machines is correct.
[root@puppet ssl]# date Fri Jan 29 11:31:32 EST 2010 [root@puppet ssl]# openssl x509 -text -in ca/signed/client.example.com.pem |grep -A2 Valid Validity Not Before: Feb 17 13:28:04 2010 GMT Not After : Feb 16 13:28:04 2015 GMT
Going through the code I found that the date was being set in certificate_factory.rb
def set_ttl # Make the certificate valid as of yesterday, because # so many people's clocks are out of sync. from = Time.now - (60*60*24) @cert.not_before = from @cert.not_after = from + ttl end
Just for fun I ran the command through interactive ruby (irb) and discovered the source of the problem.
[root@puppet ~]# ntpdate time.example.com 29 Jan 09:02:45 ntpdate[9117]: step time server 192.168.0.1 offset -6377207.794727 sec [root@puppet ~]# irb irb(main):001:0> Time.now => Tue Apr 13 05:25:50 -0400 2010 irb(main):002:0> quit [root@puppet ~]# date Fri Jan 29 08:59:07 EST 2010
I still don't know why this happened, it's not a puppet bug, it's a ruby bug. date was returning the expected results. I checked Timezones, everything, all were good. It was time for a kernel upgrade, so I did the upgrade and rebooted. I haven't seen the problem since :-/ The machine in question is a kvm running on version 88, I know there are some clock skew problems with earlier kvm's but this is not really a skew, it's far in the future...and the date was still being show as correct. So ruby must've been calculating the date wrong somehow, it doesn't really make sense...comments welcome. Anyway, if this happens to you, maybe try irb and see if ruby thinks the date is wrong.
Wordpress category: 

Add new comment

Markdown

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Filtered HTML

  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd>
  • Lines and paragraphs break automatically.

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Refresh Type the characters you see in this picture. Type the characters you see in the picture; if you can't read them, submit the form and a new image will be generated. Not case sensitive.  Switch to audio verification.