Re: [Puppet Users] second run of puppetd creates a new SSL key

Tue, 12 May 2015 11:48:35 -0700 

On 5/12/15 10:48 AM, Ed Deloye wrote:

We recently upgraded puppet to 2.7.26 with the puppetmaster running
CentOS 6.6.

Building a new RHEL5 system using kickstart, after the first reboot
puppetd runs and creates a new SSL key which is autosigned by the
puppetmaster. At the completion of the puppetd run the system reboots.
When puppetd starts again it creates another new SSL key and then it
cannot communicate with the puppetmaster:

messages from /var/log/messages:

May 12 13:24:29 lwsgb008 puppetd[3488]: Creating a new SSL key for
lwsgb008.internal.rfmd.com
May 12 13:24:29 lwsgb008 puppetd[3488]: Caching certificate for ca
May 12 13:24:29 lwsgb008 puppetd[3488]: Caching certificate for
lwsgb008.internal.rfmd.com
May 12 13:24:29 lwsgb008 puppetd[3488]: Expiring the certificate cache
of lwsgb008.internal.rfmd.com
May 12 13:24:29 lwsgb008 puppetd[3488]: Removing file
Puppet::SSL::Certificate lwsgb008.internal.rfmd.com at
'/var/puppet/ssl/certs/lwsgb008.internal.rfmd.com.pem'
May 12 13:24:29 lwsgb008 puppetd[3488]: Retrieved certificate does not
match private key
May 12 13:24:30 lwsgb008 puppetd[3488]: Creating a new SSL certificate
request for lwsgb008.internal.rfmd.com
May 12 13:24:30 lwsgb008 puppetd[3488]: Could not request certificate:
Error 400 on SERVER: lwsgb008.internal.rfmd.com already has a signed
certificate; ignoring certificate request

Has anyone seen this behavior?
I've run into roughly the same scenario. I would run a find for the cert suspecting that you'll find it two places. My guess is that the defaults in your Puppet package are changing due to an upgrade of the agent. Or a change in the puppet.conf between runs. In my case the initial run was using /home/someuser/.puppet/ and then moving to /var/lib/puppet/ssl/ on the second run. Or it might have been the reverse. 

Ramin

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/55524AE8.9000109%40badapple.net.
For more options, visit https://groups.google.com/d/optout.

Reply via email to