Just deployed a new puppet 6.0 client / server setup and getting the
classic CSR signing issue (see details below). Please help clarify my
understanding so I can troubleshoot this (I'm sure there's a quick fix for
this) :
N.B. The usual "remove the SSL dir on the client and clean the cert on the
server" is NOT working.
So I think this is what happens :
1. The agent creates an SSL cert and sends if to the master to be signed -
a Certificate Signing Request (CSR).
2. The master signs the cert with its own CA and the key of the agent.
3. The signed cert is returned to the agent which compares the keys to
ensure they match.
It would seem that somehow the key being returned is mangled and doesn't
match so is rejected by the agent.
This happens from the very first attempt to join an agent to the master and
I am at a loss of how to fix this.
Here's is the request from the agent to the master :
==> /var/log/puppetlabs/puppetserver/puppetserver-access.log <==
10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET
/puppet-ca/v1/certificate/andy-puppet6-test.london.company.com HTTP/1.1"
404 65 "-" "Puppet/6.0.0 Ruby/2.5.1-p57 (x86_64-linux)" 3
10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET
/puppet-ca/v1/certificate_request/andy-puppet6-test.london.company.com
HTTP/1.1" 200 1622 "-" "Puppet/6.0.0 Ruby/2.5.1-p57 (x86_64-linux)" 3
And here is the output from the agent :
# puppet agent --test --noop
Info: Creating a new SSL key for andy-puppet6-test.london.company.com
Info: Downloaded certificate for ca from puppet
Error: Could not request certificate: The CSR retrieved from the master
does not match the agent's public key.
CSR fingerprint:
9A:16:DA:95:9C:FB:90:89:78:EB:01:86:21:B0:24:E1:B0:66:80:43:ED:58:0B:A5:08:9C:24:60:C8:DE:F5:13
CSR public key: Public-Key: (4096 bit)
Modulus:
00:9c:ba:32:5e:c9:e9:72:7b:36:17:9a:aa:f6:8e:
e2:a4:73:0a:95:4d:ae:ca:81:96:1c:02:f3:45:e5:
6e:13:70:e1:dc:83:dc:88:96:4c:5e:40:d1:eb:c4:
62:81:8b:9f:25:96:1a:56:1d:ba:cd:25:a8:b2:21:
72:e6:ef:f3:63:b1:02:65:19:4d:e8:28:9e:bf:40:
04:c7:77:21:2f:5c:d8:20:07:63:60:c9:ac:75:44:
34:d0:bd:cf:8c:ae:31:37:8a:16:f3:08:92:a4:c1:
66:54:53:03:be:b4:02:17:52:93:c2:eb:42:82:90:
5d:db:b6:92:b1:ae:21:f0:e0:a6:9e:04:4e:0f:eb:
39:2f:17:f6:89:41:3a:08:b0:13:18:ff:82:2e:20:
cc:83:d6:67:f6:24:97:a2:8b:72:6d:c6:9c:99:cb:
70:9d:2b:7b:bd:0a:21:0d:9d:51:7c:22:f8:d0:e3:
cc:f7:2a:d9:e0:09:8c:1b:f5:7a:6c:69:88:5b:d2:
32:c2:c5:d7:b3:1d:c0:8f:23:a9:50:ab:1e:9b:4a:
cf:1e:f7:b3:de:7e:b6:b7:1e:ce:63:fd:ee:10:55:
48:32:8c:46:65:c2:46:43:90:49:2a:d8:b0:02:96:
19:71:e8:25:18:5f:c6:8f:79:67:36:da:03:04:83:
e1:06:6b:29:43:51:76:52:05:c9:22:d0:39:94:0b:
3b:07:62:66:79:d4:5a:36:af:c4:a3:2f:e1:f9:7b:
60:1b:55:33:31:52:87:87:53:41:85:86:58:64:ef:
32:77:8e:33:8c:8d:b3:f5:82:e2:16:a4:6c:65:f0:
f0:10:71:98:f5:da:ae:c0:df:5f:fa:8a:58:8f:7d:
69:4f:ea:8f:c7:36:22:f2:9f:85:30:c5:49:c6:ab:
f4:63:16:bd:ba:5d:a2:c1:06:8a:f9:6a:9b:bc:6a:
ee:01:2b:d2:75:cd:91:ad:a7:d1:45:e8:b6:a7:45:
51:0b:20:3b:05:c6:0d:06:17:2d:44:a9:33:2e:51:
b8:0b:ce:d4:db:f2:33:b9:42:3d:2b:22:1a:1e:f8:
09:14:43:9e:f0:82:8f:c8:71:74:8d:b2:ee:37:52:
0b:af:5c:4d:94:48:b2:94:81:32:03:fc:b5:6a:a6:
f2:c5:59:3c:09:44:f3:57:2f:3e:11:3b:6e:6f:36:
af:66:a6:10:e0:c7:4f:6a:74:5a:aa:48:51:62:e9:
cd:1d:72:43:20:7a:8b:80:c9:0f:1c:14:a8:87:15:
ee:93:95:55:9e:ae:48:4c:e0:4b:63:0b:88:00:fd:
1f:f1:30:a7:8b:d2:42:6a:1b:89:74:eb:46:67:c8:
32:d9:e1
Exponent: 65537 (0x10001)
Agent public key: Public-Key: (4096 bit)
Modulus:
00:cd:0a:ab:52:c8:34:62:3c:86:49:f5:18:7c:3c:
96:90:3d:0b:53:f9:5c:48:a6:38:e4:2c:84:4a:af:
5a:b7:1f:93:a7:4c:e5:dd:f3:a2:52:9d:b2:39:f4:
d3:2b:f0:8a:06:fd:f2:52:40:ec:9f:42:ed:b6:89:
63:b0:ed:62:cf:77:91:87:27:e1:f9:0b:a5:b8:d1:
a6:96:96:24:db:43:9f:5b:bd:8f:d5:29:d8:2b:f1:
57:2a:46:93:ce:cc:12:d4:e9:0d:24:fc:ef:42:11:
b8:db:a2:a3:51:23:bb:d4:97:18:a1:50:7a:7f:27:
70:cb:95:24:3c:31:35:90:77:35:68:eb:4c:41:0b:
1b:b3:1e:7b:2c:86:fa:72:27:3d:27:4c:71:07:13:
6d:58:ed:95:04:69:15:4c:5b:f2:7e:8e:73:21:65:
6e:eb:f1:64:ab:bc:67:55:1b:32:b9:1c:2c:c2:71:
9f:06:fa:a2:61:b7:03:ec:69:f7:9b:64:21:d1:af:
8a:ea:7b:99:48:7f:a0:27:f3:93:20:54:24:db:26:
b0:e7:38:24:fe:52:71:3c:79:f7:62:cf:97:e1:56:
16:35:90:2d:9e:69:c0:b7:ca:31:45:64:d7:44:16:
8c:1c:c2:a8:11:34:a4:ce:1e:37:61:c7:bb:94:16:
b1:e5:d7:74:70:67:56:e8:20:59:a5:12:39:01:95:
c2:ca:09:59:0d:a3:58:0a:1a:83:27:80:55:46:26:
46:9b:9d:69:57:42:97:b1:7d:cb:1e:a7:65:99:47:
f4:e8:ae:72:0b:a4:10:32:68:46:8b:77:19:6a:7a:
fa:32:3c:f8:2d:ff:cf:55:c3:43:64:3f:56:eb:e2:
8f:be:2d:d3:ec:55:d9:df:a4:c0:f4:ca:f7:44:38:
71:3e:1f:29:c9:b1:dc:bb:04:a1:90:ab:d9:ce:2f:
8b:77:87:ef:fa:47:c4:8c:ce:46:60:53:5c:d2:8f:
7f:4a:ad:ec:54:10:49:18:0f:7e:10:a9:c9:a9:5e:
8a:ce:2e:9d:55:19:95:fc:15:f2:35:1e:c0:81:f2:
03:39:4a:11:2c:ab:ba:0e:da:d8:eb:e7:6c:dd:17:
33:7b:16:c1:3b:ea:99:0f:0d:10:d2:94:0c:ee:0e:
cb:4f:91:2c:1a:a7:31:c5:23:f2:3d:13:45:a5:ba:
66:b0:76:58:8e:4a:6d:18:66:5f:4d:d7:6d:30:5d:
39:ef:5d:6f:1f:ab:61:68:3b:9a:80:3c:2b:8d:0f:
84:1d:3b:4e:2c:d4:48:0f:52:c5:13:12:69:ad:0f:
cc:78:6b:01:8e:27:10:29:81:3d:a0:5e:ec:d9:d8:
32:f0:cd
Exponent: 65537 (0x10001)
To fix this, remove the CSR from both the master and the agent and then
start a puppet run, which will automatically regenerate a CSR.
On the master:
puppet cert clean andy-puppet6-test.london.company.com
On the agent:
1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name
andy-puppet6-test.london.company.com.pem -delete
1b. On Windows: del
"\etc\puppetlabs\puppet\ssl\certs\andy-puppet6-test.london.company.com.pem"
/f
2. puppet agent -t
So the big question is this : what exactly is the CSR public key and what
exactly is the agent public key and why should they match ?
Any help would be most greatly appreciated !
Thanks very much.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/7189ba10-f48c-46b6-8670-65861f4d9e3f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
