Hello,
We recently re-deployed puppet certificates in our environment. I
removed and regenerated the certificates for all of the clients save for
one : the puppetmaster server itself.
As one might expect, when i run puppetd --test on the puppetmaster
server, i get :
err: Could not request certificate: Retrieved certificate does not match
private key; please remove certificate from server and regenerate it
with the current key
I removed /var/lib/puppet/ssl/certs/<puppetmaster_fqdn>.pem , then ran
puppetd with --waitforcert <puppetmaster_fqdn>. Unfortunately, when i
run a puppetca --list --all , <puppetmaster_fqdn> is not listed, even
though there is very clearly a request pem in
/var/lib/puppet/ssl/certificate_requests .
Executing puppetca --clean <puppetmaster_fqdn> removes the private key
(as expected), but does not change the error condition. I also tried
puppetca --revoke <puppetmaster_fqdn> ; no change.
I also tried removing every instance <puppetmaster>.pem from
/var/lib/puppet/ssl/* ; this also did nothing. Finally, i saw that
<puppetmaster_fqdn> was listed in only one spot :
/var/lib/puppet/ssl/ca/inventory.txt . Removing the line from this file
also does nothing (as expected).
In the archives, one solution proposed for this problem is to rm -rf
/var/lib/puppet/ssl and let puppet regenerate it all ; this is fine on
the clients, i suppose, but i hesitate to do it on the puppetmaster, as
i'd rather not have to start from scratch with the certificates of all
the clients again.
I'm running puppet 0.25.5 on CentOS 5.5 x86_64.
Any ideas ?
Thank you all.
--
Daniel Maher <dma AT witbe DOT net>
"The Internet is completely over." -- Prince
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
