On Feb 13, 10:58 am, Mukul Malhotra <smilemukul2...@gmail.com> wrote: > Hi, > > I am getting the following error message as after removing the SSL > certificates from the node & server, > > *err: Could not request certificate: Retrieved certificate does not match > private key; please remove certificate from server and regenerate it with > the current key*
It looks like the master is returning a signed certificate to the client that doesn't match its signing request. Specifically, it doesn't match the client's private key. I can think of a couple of ways that might happen: A) (i) Node A issues a certificate request to the master using certname "a.mydomain.com", then (ii) the CA signs the request but node A's Puppet SSL private key is changed, before (iii) node A's Puppet agent requests a catalog B) (i) Node B1 issues a certificate request to the master using certname "b.mydomain.com", then (ii) node B2 also issues a certificate request to the master using certname "b.mydomain.com", then (iii) the CA signs either B1's or B2's certificate (but not both, because of the certname clash), then (iv) nodes B1 and B2 request catalogs (one of them should give an error similar to the one you present) Basically, the error message is pretty clear as these things go: the signed certificate returned by the master to the agent does not correspond to a certificate request signed by the agent's (current) private key. The agent doesn't need to track specific certificate requests to know this; the private key is sufficient. My best guess about your overall problem would be that either you are triggering (A) by rebuilding client nodes without preserving their SSL private keys, or else that you are triggering (B) by having multiple nodes using the same certname (which by default is based on their hostname). John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
