On Tue, Oct 23, 2012 at 2:24 AM, Jonathan Gazeley < jonathan.gaze...@bristol.ac.uk> wrote:
> I'm trying to generate a CA certificate that will be used on multiple > puppet masters, accessed by round robin DNS. > > The individual nodes have their own hostnames and the round robin name is > puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin domain > name for Bristol university is historical, and a total pain). > > However I'm having trouble with puppet ca as follows: > > [jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names > puppet.resnet.bris.ac.uk > Error: puppet ca generate takes 1 argument, but you gave 0 > Error: Try 'puppet help ca generate' for usage > This command adds "puppet.resnet.bris.ac.uk" to the x.509 alternate names field, but Puppet is still expecting the value of the common name. If the common name is "foo.resnet.bris.ac.uk" then try the command: sudo puppet ca generate --dns_alt_names puppet.resnet.bris.ac.uk foo.resnet.bris.ac.uk. > > [jg4461@puppet-1 ~]$ sudo puppet ca generate --dns_alt_names= > puppet.resnet.**bris.ac.uk <http://puppet.resnet.bris.ac.uk>, > puppet.resnet.bristol.ac.uk > Did you mean to have a space between the comma and the next word here? > Error: The certificate retrieved from the master does not match the > agent's private key. > This error happens when the CSR you're trying to sign already has a signed certificate. In this scenario, Puppet does not sign the CSR and instead simply returns the already present certificate. > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean puppet1.resnet.bris.ac.uk > On the agent: > rm -f /var/lib/puppet/ssl/certs/**puppet1.resnet.bris.ac.uk.pem > puppet agent -t > > [jg4461@puppet1 ~]$ puppet --version > 3.0.1 > > > Am I doing something wrong, or is something broken? > It doesn't seem like anything is broken beyond the normal difficulties with x.509 certificates. It just seems like there's an already existing certificate named "puppet1.resnet.bris.ac.uk" Hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
