On May 20, 11:53 pm, shanghainese <niji...@gmail.com> wrote: > I have a problem bother me for few days. > I install puppet on three nodes which consist of the the same kind of > parts. One is used as puppet server and rest two are used as puppet > clients. Also, I Synchronized the date before I installed puppet. > > For puppet server, I use autosign and set puppet certname as ”puppet”. > For clients, I use the default configurations. > > One client can run puppet without any problem. > Another client runs puppet without error at the firs time. But error > occurs from second time. > --------------------------------------------------------------------------------------------- > err: Could not request certificate: Retrieved certificate does not > match private key; please remove certificate from server and > regenerate it with the current key > Exiting; failed to retrieve certificate and waitforcert is disabled > --------------------------------------------------------------------------------------------- > > I use command "puppetca --clean hostname" to clean the ca at puppet > server, and use command "find /var/lib/puppet -type f -print0 |xargs > -0r rm" to clean ssl ca at client. > > If I do not reboot client, I will alway get 403 forbiden error. > If I reboot client, I can run "puppetd --test" for the first time, but > get the same error from second time. > > The problems are: I use the same configuration at clients, Why can one > client run without error but another cannot. And how can I solve this > problem?
The error you describe strongly suggests that your two client nodes are trying to use the same certname on their own SSL certificates. With a default Puppet agent configuration, the certname is the client's hostname at the time the certificate was generated. I speculate that one or both of these are true: 1) The client nodes' hostnames were left at some installation default value up through the time of their first Puppet runs. For example, they might both be named "localhost.localdomain". or 2) One client node was created from a disk image of the other, or both were created from the same pre-built image, without assigning distinct names to each client. If you find that the clients indeed have the same name, then I suggest starting completely fresh on the SSL front: shut down the master and agent services, wipe out Puppet's SSL directories on all of the machines, set distinct names on all the machines, then proceed as before. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
