On Tuesday, June 12, 2012 1:53:55 PM UTC-5, Scott Merrill wrote: > > I built a test client, and from the top-level Puppet Master I ran > `puppet cert generate test.domain`. I installed the generated files > onto the test machine. However, this test client is unable to connect > to any of the subordinate Masters. I get the following error: > > Could not prepare for execution: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: CD:2C:44:54:40:B3:8A:A1:30:73:49:95:95:12:CD:54 > To fix this, remove the certificate from both the master and the agent > and then start a puppet run, which will automatically regenerate a > certficate. >
The agent should expect to retrieve a certificate that matches its own private key only as part of a certificate signing transaction. The error therefore suggests that the agent does not recognize that it already has a certificate, so that it issues a new CSR to the master. If the master already had a signed certificate for the client, however, then it would return that certificate instead of signing the new one (this prevents rogue nodes from hijacking existing nodes' configuration). The existing certificate would not match the private key of the client's newly-generated CSR. > [...] There error isn't a Puppet client > problem, because I get the same error when I run `openssl s_client > -connect hostX.domain:8140 -status`. > Surely openssl does not generate an *identical* message, because the one you reported earlier contains puppet-specific bits. Do you mean that openssl's message matches some part in the middle? You could try adding a "-cert" argument pointing specifically to the client certificate you installed. If that made the handshake succeed then it would strongly suggest that your problem is related to how or where the client cert is installed. You could try adding a "-debug" argument. You'll get a lot of low-level stuff you probably don't need, but you should also get enough information to trace the SSL protocol steps being performed. That should show, I think, whether the client is indeed issuing a new CSR to the server. You could check the logs on the subordinate and top-level masters. One or both should have something to say about the transaction. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jlJkoEoHhCkJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
