I had this issue as well. To get around it you can pass an extra option:
--certname <NAME>
This way it won't try to use your current host's FQDN as the certname
(which will fail if it's already registered with the CA)
So, e.g.
puppet certificate generate treydock --certname treydock <rest of options>
On Tuesday, March 25, 2014 at 6:58:46 PM UTC-4, treydock wrote:
>
> Following the mcollective documentation [1] for adding clients to execute
> mco commands when using SSL I am getting an error executing the 'puppet
> certificate generate' command as my user account. I feel like I'm missing
> something very obvious here.
>
> $ puppet certificate generate treydock --ssldir
> ~/.mcollective.d/credentials --ca-location remote --ca_server
> puppet.<DOMAIN>
> Error: The certificate retrieved from the master does not match the
> agent's private key.
> Certificate fingerprint:
> E3:EA:FA:AD:68:53:D8:AF:DB:63:C9:2A:89:CC:68:AA:4F:B2:35:F6:9F:8C:E0:3C:3F:56:D5:1F:41:45:0D:53
> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
> On the master:
> puppet cert clean login3.<DOMAIN>
> On the agent:
> rm -f /home/treydock/.mcollective.d/credentials/certs/login3.<DOMAIN>.pem
> puppet agent -t
>
> Error: Try 'puppet help certificate generate' for usage
>
> This happens from all my systems.
>
> The host 'login3' puppet.conf (comments removed):
>
> $ cat /etc/puppet/puppet.conf
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
> privatekeydir = $ssldir/private_keys { group = service }
> hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
> autosign = $confdir/autosign.conf { mode = 664 }
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> default_schedules = false
>
> report = true
> pluginsync = true
> masterport = 8140
> environment = production
> certname = login3.brazos.tamu.edu
> server = puppet.brazos.tamu.edu
> listen = false
> splay = false
> runinterval = 3600
> noop = true
> show_diff = true
> configtimeout = 120
>
> Thanks
> - Trey
>
> [1] -
> http://docs.puppetlabs.com/mcollective/deploy/standard.html#managing-client-credentials
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/682a6987-c601-41b8-85f0-68847d4c0e64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
