Thanks for the valuable info but my scenario is option (A) but my question is if once SSL certificates are signed for a node then how & due to what reason the SSL private key changes & what does preserving SSL private keys means ?
Thanks mukulm On Feb 14, 7:14 pm, jcbollinger <john.bollin...@stjude.org> wrote: > On Feb 13, 10:58 am, Mukul Malhotra <smilemukul2...@gmail.com> wrote: > > > Hi, > > > I am getting the following error message as after removing the SSL > > certificates from the node & server, > > > *err: Could not request certificate: Retrieved certificate does not match > > private key; please remove certificate from server and regenerate it with > > the current key* > > It looks like the master is returning a signed certificate to the > client that doesn't match its signing request. Specifically, it > doesn't match the client's private key. I can think of a couple of > ways that might happen: > > A) > (i) Node A issues a certificate request to the master using certname > "a.mydomain.com", then > (ii) the CA signs the request but node A's Puppet SSL private key is > changed, before > (iii) node A's Puppet agent requests a catalog > > B) > (i) Node B1 issues a certificate request to the master using > certname "b.mydomain.com", then > (ii) node B2 also issues a certificate request to the master using > certname "b.mydomain.com", then > (iii) the CA signs either B1's or B2's certificate (but not both, > because of the certname clash), then > (iv) nodes B1 and B2 request catalogs (one of them should give an > error similar to the one you present) > > Basically, the error message is pretty clear as these things go: the > signed certificate returned by the master to the agent does not > correspond to a certificate request signed by the agent's (current) > private key. The agent doesn't need to track specific certificate > requests to know this; the private key is sufficient. > > My best guess about your overall problem would be that either you are > triggering (A) by rebuilding client nodes without preserving their SSL > private keys, or else that you are triggering (B) by having multiple > nodes using the same certname (which by default is based on their > hostname). > > John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
