Hi Guys,
Hopefully one of you have a splendid idea on how to solve this...
The problem is that I'm getting this error message a lot (to much is more
like it):
*Error: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.Certificate fingerprint:
FINGERPRINT*
*To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a
certficate.On the master: puppet cert clean SERVERNAMEOn the agent: 1a.
On most platforms: find C:/ProgramData/PuppetLabs/puppet/etc/ssl -name
SERVERNAME.pem -delete 1b. On Windows: del
"C:/ProgramData/PuppetLabs/puppet/etc/ssl/SERVERNAME" /f 2. puppet agent
-t*
Some characteristics:
This is on newly provisioned hosts (provisioned from Foreman)
The machinses is running Windows Server of different flavours
Puppet Agent version is 3.8.7 (upgrade to a 4 release is in the pipe)
We have two VmWare clusters and this occurs on both (the checkbox for time
sync with hardware host is NOT checked)
I actually had this problem from start, but back then it was so seldomly
occuring so I decided to live with it, say it occured like 1/20 or so
machines. But now it has escalated and it is rather 1/20 that got a working
certificate from start, actually when starting to banging my head against
the wall again yesterday I had two machines working, after adding an extra
timesync in the provisioning workflow, but that was shortlived happiness as
I've made 3 more machines after that with no success.
So my first suspects on this was time and change of "security context", but
I think they're of the hook for the moment as I'm pretty confident in that
my time is right and that I to my knowledge have stayed in the same
security context.
To make sure that I got the time right I have this runing under the
oobeSystem step in my provisioning workflow :
*powershell.exe -noprofile -executionpolicy bypass -command "&
{Start-Service W32Time -ErrorAction SilentlyContinue; .\w32tm.exe /resync}"*
After installing chocolatey and the puppet agent the agent phones home like
this (command composed from how this is done in the Linux half of our
department):
*powershell.exe -noprofile -executionpolicy bypass -command " & {&
'C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat' agent -o --tags
no_such_tag --no-daemonize}"*
The user loging on and running the commands are the local administrator
account, to be extra thorough I logged on as that account trying to run a
*puppet
agent -t *after the host is built, just to be sure there was no logon
account related stuff going on, but no difference.
Following the steps in the error message, generating a new certificate,
ofcourse works, but we can all see the inconvinience of dowing that
constantly on newly provisioned hosts, right?
I think that sums things up quite good, as said I've been baning my head
against this, while not ignoring it, could still be something fishy going
on on the puppetmaster that is not managed by me, but me colleauges in the
linux neighborhood don't ecperience this so it is seemingly something to do
with the Windows hosts.
Cheers,
Fredrik
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/56a91341-3509-403a-8eb7-e88d903eb02f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
