Hi Lee, I am also new with Puppet, and I am facing the same problem. Did you get how to solve it? I am starting to feel that I am hitting a wall...
Thanks, On Tuesday, July 3, 2012 3:12:38 PM UTC+2, Leej wrote: > > So I've cracked the initial problem and I can deploy an instance and auto > configure puppet but I am still missing something, possibly a conceptual > misunderstanding on my part. > > I spin up an aws instance with : > > puppet node_aws bootstrap --image ami-e1e8d395 --keyname puppet --login > ubuntu --keyfile ~puppet.pem --puppetagent-certname new_certname_1 > --region=eu-west-1 --type t1.micro -g webserver --server > mypuppetserver.somewhere.com > > This fails with : > > notice: Waiting for SSH response ... Done > notice: Installing Puppet ... > notice: Puppet is now installed on: > blahblah.eu-west-1.compute.amazonaws.com > notice: No classification method selected > notice: Signing certificate ... > err: Signing certificate ... Failed > err: Signing certificate error: Could not render to pson: The certificate > retrieved from the master does not match the agent's private key. > Certificate fingerprint: 35:39:B7:DD:19:0E:7A:D6:07:AE:6D:64:FF:2E:92:37 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean mypuppetserver.somewhere.com > On the agent: > rm -f /home/lj/.puppet/ssl/certs/mypuppetserver.somewhere.com.pem > puppet agent -t > > However if I sign the certificate by hand on the puppet server : > > sudo puppetca -s new_certname_1 > > My client then (eventually) will update via puppet, so things are *almost* > working, although the error is misleading. > > So here are my questions. > > 1) I obviously want to maintain a secure install so I want to sign the > certificates. Should node_aws bootstrap be signing the certificates > automatically (as it seems to be attempting to do)? Is it possible to > create a certificate before bootstrapping the instance so that there is a > certificate ready and waiting for the client? > > 2) I dont know the ip address or have a fqdn for the instances I am > spinning up. I want to put some files on my clients. In fileserver.conf I > am using the cert_name to control access e.g. > > [files] > path /etc/puppet/files > allow new_certname_1 > > I was surprised that this worked. > > Now heres where my conceptual understanding is failing me - since it seems > every certname has to be unique (e.g. I cant just create a group controlled > by the certificate name) how can I restrict access to the fileserver when > provisioning new instances without manually modifying the fileserver.conf? > > 3) I should also ask - does a client need to be authenticated via its > certificate before it will be given access to the fileserver? If so I > assume I could then just use * since the certification requirement would > reject uncertified clients. Sorry this is possibly a stupid question but it > is not clear from the documentation but if so my second question is moot. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/eUWoAFFgKG4J. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
