On Apr 5, 2007, at 7:32 AM, frank.proessdorf@ibb.de wrote:
>
> I noticed a behaviour which is kind of confusing. I have the  
> puppetmasterd running. Now I want a new client to connect. I edit  
> the site.pp and add the client. When the client is started I can  
> see it with puppetca --list. So I sign the client. When it next  
> tries to connect it shows:
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> notice: Host unknown.example.com has a waiting certificate request
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> info: Not replacing existing request from unknown.example.com
> notice: Allowing ::ffff:192.168.x.y(::ffff:192.168.x.y) untrusted  
> access to CA methods
> info: Retrieving existing certificate for unknown.example.com
> err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y)  
> cannot call puppetmaster.getconfig
> err: Unauthenticated client ::ffff:192.168.x.y(::ffff:192.168.x.y)  
> cannot call puppetmaster.getconfig
>
> Then I make a puppetca --clean <client_cert>. After that I restart  
> the client and suddenly it works:
> debug: Overriding ::ffff:192.168.x.y with cert name  
> unknown.example.com
> debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted  
> access to puppetmaster.getconfig
> debug: Our client is remote
> notice: Reloading files
> debug: importing ''client.pp''
> info: Parsed manifest in 0.20 seconds
> info: Found unknown in /etc/puppet/manifests/site.pp
> notice: Compiled configuration for unknown.example.com in 0.24 seconds
> debug: Overriding ::ffff:192.168.x.y with cert name  
> unknown.example.com
> debug: Allowing unknown.example.com(::ffff:192.168.x.y) trusted  
> access to fileserver.describe
I expect if you just restarted the client, without doing --clean on  
the server, it would work.  Can you confirm that?
Both 0.22.2 and 0.22.3 have small but important bugs in the code for  
retrieving certificates and using them in a single run,  
unfortunately.  I should probably release 0.22.4 just to fix this  
problem, I guess.
  --
  The easiest way to figure the cost of living is to take your income  
and
  add ten percent.
  ---------------------------------------------------------------------
  Luke Kanies | http://reductivelabs.com | http://madstop.com