On Wednesday, July 17, 2013 6:00:49 PM UTC+3, jcbollinger wrote: > > > On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote: >> >> We are not configured to auto-sign certificates. >> >> Clearly, the client is making a connection to the master: >> >> >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> >> Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this >> particular agent. I've tried starting clean/fresh on the agent (removing >> /var/lib/puppet) and that has no effect. The older clients are working >> just fine. >> >> puppet cert list, continues to not see the inbound request from this >> particular agent. >> > > > Well, that at least narrows it down. The master is not recognizing the > client's certificate-signing request, or is refusing to service it. Does > the master already have a signed certificate for this client (or at least > one bearing the requested certname)? "puppet cert list --all" should tell > you. > > If so, then there are two possibilities: > (1) the master signed the current client's current certificate, but is > refusing to serve up the signed certificate. This seems unlikely to me, > but it cannot be altogether discounted. > (2) the signed certificate does not correspond to the certificate-signing > request currently being presented by the agent (maybe it is an old cert > signed for a different machine with the same name), so the master refuses > to provide it to the agent. > > If (2) applies, then you should revoke then remove the old cert via > "puppet cert", then try again to connect the agent. > > Alternatively, is there any chance you have multiple copies of the master > installed? (Maybe one via RPM and a separate one via gem?) If that's the > case, then perhaps the master the agent is talking to is different from the > one that comes first in your shell's executable path. That could wreak all > sorts of havoc, including misleading you about the relevant certs and CSRs. > > > John > > How do I verify if multiple copies are installed? I'm using Foreman to manage the puppet master on the same host, but I don't think it has caused any issues. I don't think #1 above is what happened to me - I've tried with a completely new client. I must emphasize that apart from the CA's certificate, I'm not seeing anything under 'puppet cert --list --all'. Is there any debug flag I can enable to provide debug output on the master for the signing process?
Y. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
