On Monday, March 17, 2014 12:59:07 PM UTC+1, nhadie ramos wrote: > > > HI All, > > Im trying vagrant and puppet, i would like to be able to launch an VM on > virtualbox then call puppet for installing packages and configuration. > I would be using this for all developers and loaded on their local > machine's Virtualbox. > > so on vagrant i launch a machine and set hostname to dev.mybox.com > then configure it to connect to my puppetmaster e.g. puppet agent > --server puppetmaster.mybox.com --test --verbose > on my puppet master, i added *.mybox.com on autosign.conf. > > initial vagrant up works since o cert yet on master for dev.mybox.com. > but after i destroy vm and launch again > i see the error: > > err: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: 2B:E9:77:64:B7:B4:98:DD:75:8D:0F:B5:53:ED:3B:46 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean dev.mybox.com > On the agent: > rm -f /var/lib/puppet/ssl/certs/dev.mybox.com.pem > puppet agent -t > > is there a way to bypass this or set a fix cert so that i can destroy and > launch instance using vagrant without this issue? > any help would be appreciated. thank you. > > Regards, > Nhadie > > The issue is that a cert is already present for that host. Johan's solution looks great to get around this by always reusing the same cert, instead of the VM generating a new one each time. Another approach would be to have the agent delete a cert on the CA, so that the auto-signing works. To do this you have to authorize agents to remove certs by adding the following to the puppet master's auth.conf
51 # Allows nodes to clean up certificates of any node. This is being triggered 52 # at provisioning time in kickstart to remove the old certificate, since a new 53 # one is generated when the system is provisioned. 54 path /certificate_status/ 55 auth any 56 method find, save, destroy 57 allow *.example.com,pe-internal-dashboard The agent would run the following, prior to puppet running PUPPETCA=puppetca.example.com curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/production/certificate_status/`hostname -f` http://garretthoneycutt.com/index.php/Puppet#Removing_certs_during_provisioning_process Best regards, -g -- Garrett Honeycutt @learnpuppet Puppet Training with LearnPuppet.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/00d617c3-babd-4c49-86f4-f7995987fbbe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
