Hello Shawn,

Am 29.11.2012 22:52, schrieb shoerner:
> Just getting my first puppet master set up and I am having a problem
> that I just do not know how to get past. For some reason, my certificate
> store keeps getting corrupted. Basically what happens is that the server
> will issue itself a valid certificate (after removing the 'bad' cert)
> and will run just fine. When I start puppetDB (I am pretty sure it
> happens around here) on the system though, running the command 'puppet
> ca list --all' on the PuppetMaster, I get the following:
> 
> Error: The certificate retrieved from the master does not match the
> agent's private key.
> Certificate fingerprint: *<fingerprint removed>*
> To fix this, remove the certificate from both the master and the agent
> and then start a puppet run, which will automatically regenerate a
> certficate.
> On the master:
>   puppet cert clean puppetmaster.site
> On the agent:
>   rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem
>   puppet agent -t
> 
> Error: Try 'puppet help ca list' for usage
> 
> I have tried following said instructions which did not work at all.
> Eventually I was able to build it down to the following steps to
> regenerate the certificate store:
> # service puppetmaster stop
> # service puppetdb stop
> # service puppet stop
> # find $(puppet master --configprint ssldir) -name "$(puppet master
> --configprint certname).pem" -delete
> # rm -rf /var/lib/puppet/ssl
> # puppet master --no-daemonize --debug --verbose --trace (kill it when
> it says "starting puppet")
> # /usr/sbin/puppetdb-ssl-setup
> # service puppetmaster start
> # puppet ca list --all (lists the certs installed)
> # service puppetdb start
> # puppet ca list --all (prints error message above with new fingerprint)
> 
> The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB
> 1.0.2 and Puppet Dashboard). I realize that the solution is only made
> more difficult by the inclusion of db and dashboard, but the project
> scope grew too quickly and resulted in attempts to combine services. I
> am out of ideas save for re-installing the service; after messing with
> this install for so long, I doubt many people here will want to support
> this decision.
which command did you used to sign your client certificates?

At Puppet 2.7 i was using "puppetca list" and "puppetca sign
host.example.net".

So i thought that i could use "puppet ca list" and "puppet ca sign
host.example.net" at Puppet 3.0.1.

But, when the first Puppet client did a "puppet agent --test", the
puppet master created a private key for host.example.net at
"/var/lib/puppet/ssl/private_keys".

So i assume that there is a difference between "puppet ca" and "puppet
cert".

When i use "puppet cert list" and "puppet cert sign host.example.net",
there will be no private key created and the commands "puppet ca list
--all" and "puppet cert list --all" are working as expected.

Best regards, Dennis

Attachment: signature.asc
Description: OpenPGP digital signature

Reply via email to