On Jun 27, 2010, at 2:40 PM, Douglas Garstang wrote: > On Sun, Jun 27, 2010 at 1:33 PM, Patrick Mohr <kc7...@gmail.com> wrote: >> >> On Jun 27, 2010, at 12:50 PM, Douglas Garstang wrote: >> >>> On Sun, Jun 27, 2010 at 12:47 PM, Douglas Garstang >>> <doug.garst...@gmail.com> wrote: >>>> On Sun, Jun 27, 2010 at 12:34 PM, Douglas Garstang >>>> <doug.garst...@gmail.com> wrote: >>>>> Here we go with puppet 0.25 certificate problems again. >>>>> >>>>> I had a system where puppet was running fine. I reinstalled it. >>>>> Running puppet on the client causes this: >>>>> >>>>> "Could not request certificate: Retrieved certificate does not match >>>>> private key; please remove certificate from server and regenerate it >>>>> with the current key". >>>>> >>>>> Fine... so I run 'puppetca --clean kick01.fr.xxx.com' on the server, >>>>> who responds with: >>>>> >>>>> [r...@inst01 puppet]# puppetca --clean kick01.fr.xxx.com >>>>> kick01.fr.xxx.com >>>>> notice: Removing file Puppet::SSL::Certificate kick01.fr.xxx.com at >>>>> '/var/lib/puppet/ssl/ca/signed/kick01.fr.xxx.com.pem' >>>>> >>>>> I then rerun puppet on the client and I am getting the same error. I >>>>> must have done this hundreds of times with 0.24.8. What am I doing >>>>> wrong now? >>>>> >>>>> Doug. >>>>> >>>> >>>> *sigh* >>>> >>>> On the client, I removed the puppet rpm, blew away /var/lib/puppet, >>>> and reinstalled the puppet rpm again. Started puppet, it requested a >>>> certificate (but it logged nothing on the client about it, even in >>>> debug mode), signed it on the server, and I am still getting this on >>>> the client. >>>> >>>> warning: peer certificate won't be verified in this SSL session >>>> info: Caching certificate for kick01.fr.xxx.com >>>> err: Could not request certificate: Retrieved certificate does not >>>> match private key; please remove certificate from server and >>>> regenerate it with the current key >>>> >>>> *sigh* >>>> >>> >>> Puppet is on crack. Even when the server isn't running, I STILL get this >>> error! >> >> I think I know what the problem is. I ran into this exact error message >> before. Try this: >> >> Step 1, run this on client: >> service puppet stop >> rm -R /var/lib/puppet >> >> Step 2, run this on server: >> puppetca --clean kick01.fr.xxx.com #Make sure to change this back >> >> Step 3, run this on client: >> #Restart the client how ever you like. I recommend this for testing: >> puppetd --test --verbose --debug >> >> >> I'm pretty sure this will work. If it does, I'll by happy to explain why >> you got all those different error messages. > > Thanks Patrick. I got it to work somehow, with some magic combination > of commands, which may be what you suggested. Next time it happens > (and that won't be too far off), I'll try running through your steps. > > Doug.
This is an approximation of what probably happened. This is just to give a general idea, and may have some minor errors. When a client wants to get a signed certificate, it normally goes through these steps: 1) Client generates a private key. 2) Client generates a Certificate Sign Request (CSR) from its private key and other information. 3) Client contacts server. 4) If client doesn't have ca.pem, if downloads it from the server at this point 5) Client sends its CSR to the server and asks for its signed certificate. 6) If server has a signed certificate for that client name, it sends the certificate to the client. What probably happened with your client: 1) Client generates a private key. 2) Client generates a Certificate Sign Request (CSR) from its private key and other information. 3) Client contacts server. 4) If client doesn't have ca.pem, if downloads it from the server at this point 5) Client sends its CSR to the server and asks for its signed certificate. 6) If server has a signed certificate for that client name, it sends the certificate to the client. 7) Client is wiped 8) Client generates a private key. 9) Client generates a Certificate Sign Request (CSR) from its private key and other information. 10) Client contacts server. 11) If client doesn't have ca.pem, if downloads it from the server at this point 12) Client sends its CSR to the server and asks for its signed certificate. 13) Server sees that it already has the old signed certificate for that name and sends that certificate and ignores the CSR. 14) Client trys to use its certificate, but the cert matches the old private key instead of the new key so the certificate is unusable. At this point, even if the client can't see the server, it still has a key/cert pair that doesn't match each other so it will still give the same error message. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
