Puppet users - Dec 2012 - puppet ca list --all ERROR

I have just installed a puppet master 3.0.1 under Debian 6.0 Squeeze.

As soon as I have installed puppet ca list --all works ok:

# puppet ca list --all
+ master1.domain  (SHA256)
AB:E1:EE:F5:9C:C7:F5:4F:37:76:A0:AB:93:60:9A:E9:69:58:12:A6:37:4E:29:CD:7C:B7:A1:07:80:3B:13:47

and I "puppet agent -t" from self mater1.domain and all worked ok.

The signature of the first node showed the certificate ( I had not seen this at
previous puppet versions).

# puppet ca list
  agent1.domain  (MD5) F9:88:19:CF:82:84:AD:AE:F8:EC:0B:A3:04:E8:65:CC

# puppet ca sign agent1.domain
Signed certificate request for agent1.domain
Removing file Puppet::SSL::CertificateRequest agent1.domain at
''/var/lib/puppet/ssl/ca/requests/agent1.domain.pem''
"-----BEGIN
CERTIFICATE-----\nMIID2TCCAcGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw\nZXQgQ0E6IGN1dHRlci5yb290d2F5LmNvbTAeFw0xMjEyMDUyMTA2MTdaFw0xNzEy\nMDUyMTA2MTdaMB4xHDAaBgNVBAMME3Rlc3Rhd3Mucm9vdHdheS5jb20wgZ8wDQYJ\nKoZIhvcNAQEBBQADgY0AMIGJAoGBALggbp23HqJJvloI7WHH/EMMBj1W5JS3ctNn\n82Z66HTnwe6pbNw4l654nNJWsdxgIc6Bia23DoQejUmNrQ9nKN+63JK7lXQ//88k\nt19ixI6dMst/p1B7LGUBH1CE542/5MifU70+mOIdTfUzRTra9C0CuoyAh6LeLPNj\nu7Ov6d5jAgMBAAGjgZswgZgwDAYDVR0TAQH/BAIwADA3BglghkgBhvhCAQ0EKhYo\nUHVwcGV0IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBDZXJ0aWZpY2F0ZTAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0OBBYEFEqIAYrvXq1/SB4SCcvqQ/xkbtFQMCAGA1UdJQEB\n/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAdmDO\n5N4pq73lu6FLagVBwDFgw0813EHj1uBodkYtm7Lg3PaxLhTepn+gZF4vXQbLJTO3\njCpAxj3jsuiuGiYUscV2VGnRBVX5LrFdugg1R14XfSHmBSin8YhhkdKD8F8xP/Pl\ncNCRVOOl8+as+SjvtXpF/5EoAxsEi/aBRET/HM3EEPPEweeRuT5S6R1XSRSGUX7g\nQpSQw1D3M12FYYHTbWSA8kQX6B/KCgeHTzHsPPEbqtS2fsfFHzKYvLNzbf2IAvJL\ncAobf+IQkqgdNTehTftx/DWRkahIGN7Joaza19e45z8f
IsqOROx74HaZTxZN7WDu\ns+7XrNt0kvsaVcW/ro/8chheIpeHXkrerPPcZA+ToPR3uN+O/OFkzxVbFMcCYwKr\nag1GgnWRH8TSMatMbqeqJjsUGaEDxaYG+7UigUEzvSvohalNC18yKHnX+hhB9QF0\nDr2fSvYbF8TCTEqckZC4O3JNYLqqV7n2dZ5eo/e/9d/MYzzfRUSyWtL05yCY6II5\nAuD3X1ZvzWUJUY1tVmqO7PyzV/LwBxB/25sfXVKyn0pffkP0WtkycgQtarRxLmLw\nibIbZg7QunADecve+nTk/3KMAwbBRRaoO2wVEdcm0BqLDvRGRNcR+P4kjz0eZ/FQ\nHLyd1G25T/bdL9RFkqXVXHMAQOf8PKT1jNdZBm0=\n-----END
CERTIFICATE-----\n"


After that I was unable to list --all again:

# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent''s private key.
Certificate fingerprint:
47:86:DF:83:53:A3:14:AB:C6:9B:B6:2A:30:A3:61:DB:DC:17:7A:40:CA:AC:33:12:BB:67:07:9F:2A:77:DA:CF
To fix this, remove the certificate from both the master and the agent and then
start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean master1.domain
On the agent:
  rm -f /var/lib/puppet/ssl/certs/master1.domain.pem
  puppet agent -t

I have complete remove /var/lib/puppet/ssl and recreate all certificates with
THE SAME steps and error.

Suggestions?

---
Rodolfo Pilas
http://www.pilas.net
@ysidorito

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

Following my previous message, do you think that the problem may be:

puppet master:
# puppet -V
3.0.1


puppet agent:
# puppet -V
0.25.4



I am testing a 3 version of master with my old deploy of agents.


---
Rodolfo Pilas
http://www.pilas.net
@ysidorito


El jueves, 6 diciembre 2012 a las 20:17 , Rodolfo Pilas escribió:
>  
> I have just installed a puppet master 3.0.1 under Debian 6.0 Squeeze.
>  
> As soon as I have installed puppet ca list --all works ok:
>  
> # puppet ca list --all
> + master1.domain  (SHA256)
AB:E1:EE:F5:9C:C7:F5:4F:37:76:A0:AB:93:60:9A:E9:69:58:12:A6:37:4E:29:CD:7C:B7:A1:07:80:3B:13:47
>  
> and I "puppet agent -t" from self mater1.domain and all worked
ok.
>  
> The signature of the first node showed the certificate ( I had not seen
this at previous puppet versions).
>  
> # puppet ca list
>   agent1.domain  (MD5) F9:88:19:CF:82:84:AD:AE:F8:EC:0B:A3:04:E8:65:CC
>  
> # puppet ca sign agent1.domain
> Signed certificate request for agent1.domain
> Removing file Puppet::SSL::CertificateRequest agent1.domain at
''/var/lib/puppet/ssl/ca/requests/agent1.domain.pem''
> "-----BEGIN
CERTIFICATE-----\nMIID2TCCAcGgAwIBAgIBAzANBgkqhkiG9w0BAQsFADAoMSYwJAYDVQQDDB1QdXBw\nZXQgQ0E6IGN1dHRlci5yb290d2F5LmNvbTAeFw0xMjEyMDUyMTA2MTdaFw0xNzEy\nMDUyMTA2MTdaMB4xHDAaBgNVBAMME3Rlc3Rhd3Mucm9vdHdheS5jb20wgZ8wDQYJ\nKoZIhvcNAQEBBQADgY0AMIGJAoGBALggbp23HqJJvloI7WHH/EMMBj1W5JS3ctNn\n82Z66HTnwe6pbNw4l654nNJWsdxgIc6Bia23DoQejUmNrQ9nKN+63JK7lXQ//88k\nt19ixI6dMst/p1B7LGUBH1CE542/5MifU70+mOIdTfUzRTra9C0CuoyAh6LeLPNj\nu7Ov6d5jAgMBAAGjgZswgZgwDAYDVR0TAQH/BAIwADA3BglghkgBhvhCAQ0EKhYo\nUHVwcGV0IFJ1YnkvT3BlblNTTCBJbnRlcm5hbCBDZXJ0aWZpY2F0ZTAOBgNVHQ8B\nAf8EBAMCBaAwHQYDVR0OBBYEFEqIAYrvXq1/SB4SCcvqQ/xkbtFQMCAGA1UdJQEB\n/wQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjANBgkqhkiG9w0BAQsFAAOCAgEAdmDO\n5N4pq73lu6FLagVBwDFgw0813EHj1uBodkYtm7Lg3PaxLhTepn+gZF4vXQbLJTO3\njCpAxj3jsuiuGiYUscV2VGnRBVX5LrFdugg1R14XfSHmBSin8YhhkdKD8F8xP/Pl\ncNCRVOOl8+as+SjvtXpF/5EoAxsEi/aBRET/HM3EEPPEweeRuT5S6R1XSRSGUX7g\nQpSQw1D3M12FYYHTbWSA8kQX6B/KCgeHTzHsPPEbqtS2fsfFHzKYvLNzbf2IAvJL\ncAobf+IQkqgdNTehTftx/DWRkahIGN7Joaza19e45z8fIsqOROx74HaZTxZN7WDu\ns+7XrNt0kvsaVcW/ro/8chheIpeHXkrerPPcZA+ToPR3uN+O/OFkzxVbFMcCYwKr\nag1GgnWRH8TSMatMbqeqJjsUGaEDxaYG+7UigUEzvSvohalNC18yKHnX+hhB9QF0\nDr2fSvYbF8TCTEqckZC4O3JNYLqqV7n2dZ5eo/e/9d/MYzzfRUSyWtL05yCY6II5\nAuD3X1ZvzWUJUY1tVmqO7PyzV/LwBxB/25sfXVKyn0pffkP0WtkycgQtarRxLmLw\nibIbZg7QunADecve+nTk/3KMAwbBRRaoO2wVEdcm0BqLDvRGRNcR+P4kjz0eZ/FQ\nHLyd1G25T/bdL9RFkqXVXHMAQOf8PKT1jNdZBm0=\n-----END
CERTIFICATE-----\n"
>  
>  
> After that I was unable to list --all again:
>  
> # puppet ca list --all
> Error: The certificate retrieved from the master does not match the
agent''s private key.
> Certificate fingerprint:
47:86:DF:83:53:A3:14:AB:C6:9B:B6:2A:30:A3:61:DB:DC:17:7A:40:CA:AC:33:12:BB:67:07:9F:2A:77:DA:CF
> To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.
> On the master:
>   puppet cert clean master1.domain
> On the agent:
>   rm -f /var/lib/puppet/ssl/certs/master1.domain.pem
>   puppet agent -t
>  
> I have complete remove /var/lib/puppet/ssl and recreate all certificates
with THE SAME steps and error.
>  
> Suggestions?
>  
> ---
> Rodolfo Pilas
> http://www.pilas.net
> @ysidorito
>  
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.