Hi all, I have seen this behaviour and I am not sure of why it is happening.
There's a node that is using Puppet normally: May 20 20:58:18 node1dot90 puppet-agent[50057]: Finished catalog run in 41.90 seconds Then Puppet was restarted, and after the restart the agent noticed that the FQDN had changed (from node1dot90 to node1dot90.myvpn.com). Therefore, it tried to recreate its cert: May 20 20:58:26 node1dot90 puppet-agent[24886]: Caught TERM; calling stop May 20 20:58:27 node1dot90 puppet-agent[62421]: Reopening log files May 20 20:58:27 node1dot90 puppet-agent[62415]: Creating a new SSL key for node1dot90.myvpn.com May 20 20:58:28 node1dot90 puppet-agent[62415]: Creating a new SSL certificate request for node1dot90.myvpn.com May 20 20:58:28 node1dot90 puppet-agent[62415]: Certificate Request fingerprint (SHA256): BF:72:B6:08:C8:48:D3:3F:C8:E4:7C:E8:D0:CD:60:97:A1:2F: DE:3A:4C:C3:5C:61:25:FE:A4:53:79:D2:C1:54 May 20 20:58:28 node1dot90 puppet-agent[62415]: Caching certificate for node1dot90.myvpn.com The Puppetmaster signed the cert: May 20 20:58:28 ms1dot90 puppet-master[45608]: node1dot90.myvpn.com has a waiting certificate request May 20 20:58:28 ms1dot90 puppet-master[45608]: Signed certificate request for node1dot90.myvpn.com May 20 20:58:28 ms1dot90 puppet-master[45608]: Removing file Puppet::SSL:: CertificateRequest node1dot90.myvpn.com at '/var/lib/puppet/ssl/ca/requests/node1dot90.myvpn.com.pem' But then the agent failed because the certificate did not match May 20 20:58:28 node1dot90 puppet-agent[62415]: Sleeping for 14 seconds (splay is enabled) May 20 20:58:28 node1dot90 puppet-agent[62421]: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. May 20 20:58:28 node1dot90 puppet-agent[62421]: Certificate fingerprint: 82:B5:A1:4E:51:69:8B:3B:7D:09:4D:02:79:93:37:CE:53:B0:EA:95:83:AD:0D:13:17:EE:95:81:31:20:9F:76 May 20 20:58:28 node1dot90 puppet-agent[62421]: To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. May 20 20:58:28 node1dot90 puppet-agent[62421]: On the master: May 20 20:58:28 node1dot90 puppet-agent[62421]: puppet cert clean node1dot90.myvpn.com May 20 20:58:28 node1dot90 puppet-agent[62421]: On the agent: May 20 20:58:28 node1dot90 puppet-agent[62421]: rm -f /var/lib/puppet/ssl/certs/node1dot90.myvpn.com.pem May 20 20:58:28 node1dot90 puppet-agent[62421]: puppet agent -t How is that possible? If the Puppetmaster signed the certificate one second before there should be no mismatch, right? Thanks! Cesar. -- This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c93a67f8-9775-4fb2-8177-c6bb4bc8d814%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
