I''m trying to run both the puppetmaster and client on the same server. Starting the puppetmaster for the first time is fine, I get this: Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Signed certificate request for prov01.den.xxx.com Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing file Puppet::SSL::CertificateRequest prov01.den.xxx.com at ''/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem'' Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing file Puppet::SSL::CertificateRequest prov01.den.xxx.com at ''/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem'' However, when I start the client for the first time, I get this: Jan 28 17:39:12 s_sys@prov01.den.xxx.com puppet-agent[26404]: Reopening log files Jan 28 17:39:13 s_sys@prov01.den.xxx.com puppet-agent[26404]: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key If I remove the keys for prov01.den.xxx.com, then the server complains, because it''s keys are missing, What do I do? Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang <doug.garstang@gmail.com> wrote:> I''m trying to run both the puppetmaster and client on the same server. > Starting the puppetmaster for the first time is fine, I get this: > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Signed > certificate request for prov01.den.xxx.com > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing file > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > ''/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem'' > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing file > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > ''/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem'' > However, when I start the client for the first time, I get this: > Jan 28 17:39:12 s_sys@prov01.den.xxx.com puppet-agent[26404]: Reopening log > files > Jan 28 17:39:13 s_sys@prov01.den.xxx.com puppet-agent[26404]: Could not > request certificate: Retrieved certificate does not match private key; > please remove certificate from server and regenerate it with the current key > If I remove the keys for prov01.den.xxx.com, then the server complains, > because it''s keys are missing, What do I do? > Doug.It sounds like your master and your agent are using different SSL directories. If this is the case, then the master will return the certificate already signed for itself rather than issuing a new certificate from the CSR the agent is producing. When running the agent on the same machine as the master, you have two choices: Use the same certificate name for both the master and the agent. In this situation the master and agent should share the ssldir setting. The agent should not issue a certificate signing request and should re-use the certificates generated automatically by the master. Use a different certificate name for the agent. In this case the agent can have it''s own ssldir _or_ share the ssldir with the master. In either case, the agent will generate a new CSR and the master will issue a new certificate since the names do not overlap. Hope this helps, -- Jeff McCune http://www.puppetlabs.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Jan-28 18:11 UTC
Re: [Puppet Users] Client and Server on Same System
On Fri, Jan 28, 2011 at 9:59 AM, Jeff McCune <jeff@puppetlabs.com> wrote:> On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang > <doug.garstang@gmail.com> wrote: > > I''m trying to run both the puppetmaster and client on the same server. > > Starting the puppetmaster for the first time is fine, I get this: > > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Signed > > certificate request for prov01.den.xxx.com > > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing > file > > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > > ''/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem'' > > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing > file > > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > > ''/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem'' > > However, when I start the client for the first time, I get this: > > Jan 28 17:39:12 s_sys@prov01.den.xxx.com puppet-agent[26404]: Reopening > log > > files > > Jan 28 17:39:13 s_sys@prov01.den.xxx.com puppet-agent[26404]: Could not > > request certificate: Retrieved certificate does not match private key; > > please remove certificate from server and regenerate it with the current > key > > If I remove the keys for prov01.den.xxx.com, then the server complains, > > because it''s keys are missing, What do I do? > > Doug. > > It sounds like your master and your agent are using different SSL > directories. If this is the case, then the master will return the > certificate already signed for itself rather than issuing a new > certificate from the CSR the agent is producing. > > When running the agent on the same machine as the master, you have two > choices: > > Use the same certificate name for both the master and the agent. In > this situation the master and agent should share the ssldir setting. > The agent should not issue a certificate signing request and should > re-use the certificates generated automatically by the master. > > Use a different certificate name for the agent. In this case the > agent can have it''s own ssldir _or_ share the ssldir with the master. > In either case, the agent will generate a new CSR and the master will > issue a new certificate since the names do not overlap. > > Hope this helps, >Jeff, I checked my puppet.conf, and yes, both the client and the server are sharing the ssl directory. I didn''t realise that both took a ssldir setting, and it''s only defined in the [main] section, not the [agent] section. Still doesn''t work however. I removed the /var/lib/puppet directory completely, and restarted the puppetmaster. After manually creating some directories and setting some permissions by hand because the puppetmaster barfs, it ran fine. However, when starting the client, I get: Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Starting Puppet client version 2.6.3 Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not retrieve catalog from remote server: certificate verify failed Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Not using cache on failed catalog Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not retrieve catalog; skipping run Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not send report: certificate verify failed -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Jan-28 18:23 UTC
Re: [Puppet Users] Client and Server on Same System
On Fri, Jan 28, 2011 at 10:11 AM, Douglas Garstang <doug.garstang@gmail.com>wrote:> On Fri, Jan 28, 2011 at 9:59 AM, Jeff McCune <jeff@puppetlabs.com> wrote: > >> On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang >> <doug.garstang@gmail.com> wrote: >> > I''m trying to run both the puppetmaster and client on the same server. >> > Starting the puppetmaster for the first time is fine, I get this: >> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Signed >> > certificate request for prov01.den.xxx.com >> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing >> file >> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >> > ''/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem'' >> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Removing >> file >> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >> > ''/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem'' >> > However, when I start the client for the first time, I get this: >> > Jan 28 17:39:12 s_sys@prov01.den.xxx.com puppet-agent[26404]: Reopening >> log >> > files >> > Jan 28 17:39:13 s_sys@prov01.den.xxx.com puppet-agent[26404]: Could not >> > request certificate: Retrieved certificate does not match private key; >> > please remove certificate from server and regenerate it with the current >> key >> > If I remove the keys for prov01.den.xxx.com, then the server complains, >> > because it''s keys are missing, What do I do? >> > Doug. >> >> It sounds like your master and your agent are using different SSL >> directories. If this is the case, then the master will return the >> certificate already signed for itself rather than issuing a new >> certificate from the CSR the agent is producing. >> >> When running the agent on the same machine as the master, you have two >> choices: >> >> Use the same certificate name for both the master and the agent. In >> this situation the master and agent should share the ssldir setting. >> The agent should not issue a certificate signing request and should >> re-use the certificates generated automatically by the master. >> >> Use a different certificate name for the agent. In this case the >> agent can have it''s own ssldir _or_ share the ssldir with the master. >> In either case, the agent will generate a new CSR and the master will >> issue a new certificate since the names do not overlap. >> >> Hope this helps, >> > > Jeff, > > I checked my puppet.conf, and yes, both the client and the server are > sharing the ssl directory. I didn''t realise that both took a ssldir setting, > and it''s only defined in the [main] section, not the [agent] section. > > Still doesn''t work however. I removed the /var/lib/puppet directory > completely, and restarted the puppetmaster. After manually creating some > directories and setting some permissions by hand because the puppetmaster > barfs, it ran fine. > > However, when starting the client, I get: > > Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Starting > Puppet client version 2.6.3 > Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not > retrieve catalog from remote server: certificate verify failed > Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Not using > cache on failed catalog > Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not > retrieve catalog; skipping run > Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not > send report: certificate verify failed > >I also tried setting the ssldir to something else for the client. Removed /var/lib/puppet and restarted the puppetmaster. It still starts fine, but again, when starting the client I get: Jan 28 18:21:47 s_sys@prov01.den.xxx.com puppet-master[5021]: Starting Puppet master version 2.6.3 Jan 28 18:21:55 s_sys@prov01.den.xxx.com puppet-agent[5079]: Reopening log files Jan 28 18:21:56 s_sys@prov01.den.xxx.com puppet-agent[5079]: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key I can see that the client put files in the new ssl dir when it was started. Dunno what else to do. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Douglas Garstang
2011-Jan-28 18:33 UTC
Re: [Puppet Users] Client and Server on Same System
On Fri, Jan 28, 2011 at 10:23 AM, Douglas Garstang <doug.garstang@gmail.com>wrote:> On Fri, Jan 28, 2011 at 10:11 AM, Douglas Garstang < > doug.garstang@gmail.com> wrote: > >> On Fri, Jan 28, 2011 at 9:59 AM, Jeff McCune <jeff@puppetlabs.com> wrote: >> >>> On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang >>> <doug.garstang@gmail.com> wrote: >>> > I''m trying to run both the puppetmaster and client on the same server. >>> > Starting the puppetmaster for the first time is fine, I get this: >>> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: Signed >>> > certificate request for prov01.den.xxx.com >>> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: >>> Removing file >>> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >>> > ''/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem'' >>> > Jan 28 17:40:58 s_sys@prov01.den.xxx.com puppet-master[27424]: >>> Removing file >>> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >>> > ''/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem'' >>> > However, when I start the client for the first time, I get this: >>> > Jan 28 17:39:12 s_sys@prov01.den.xxx.com puppet-agent[26404]: >>> Reopening log >>> > files >>> > Jan 28 17:39:13 s_sys@prov01.den.xxx.com puppet-agent[26404]: Could >>> not >>> > request certificate: Retrieved certificate does not match private key; >>> > please remove certificate from server and regenerate it with the >>> current key >>> > If I remove the keys for prov01.den.xxx.com, then the server >>> complains, >>> > because it''s keys are missing, What do I do? >>> > Doug. >>> >>> It sounds like your master and your agent are using different SSL >>> directories. If this is the case, then the master will return the >>> certificate already signed for itself rather than issuing a new >>> certificate from the CSR the agent is producing. >>> >>> When running the agent on the same machine as the master, you have two >>> choices: >>> >>> Use the same certificate name for both the master and the agent. In >>> this situation the master and agent should share the ssldir setting. >>> The agent should not issue a certificate signing request and should >>> re-use the certificates generated automatically by the master. >>> >>> Use a different certificate name for the agent. In this case the >>> agent can have it''s own ssldir _or_ share the ssldir with the master. >>> In either case, the agent will generate a new CSR and the master will >>> issue a new certificate since the names do not overlap. >>> >>> Hope this helps, >>> >> >> Jeff, >> >> I checked my puppet.conf, and yes, both the client and the server are >> sharing the ssl directory. I didn''t realise that both took a ssldir setting, >> and it''s only defined in the [main] section, not the [agent] section. >> >> Still doesn''t work however. I removed the /var/lib/puppet directory >> completely, and restarted the puppetmaster. After manually creating some >> directories and setting some permissions by hand because the puppetmaster >> barfs, it ran fine. >> >> However, when starting the client, I get: >> >> Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Starting >> Puppet client version 2.6.3 >> Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not >> retrieve catalog from remote server: certificate verify failed >> Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Not using >> cache on failed catalog >> Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not >> retrieve catalog; skipping run >> Jan 28 18:08:07 s_sys@prov01.den.xxx.com puppet-agent[1574]: Could not >> send report: certificate verify failed >> >> > I also tried setting the ssldir to something else for the client. Removed > /var/lib/puppet and restarted the puppetmaster. It still starts fine, but > again, when starting the client I get: > > Jan 28 18:21:47 s_sys@prov01.den.xxx.com puppet-master[5021]: Starting > Puppet master version 2.6.3 > Jan 28 18:21:55 s_sys@prov01.den.xxx.com puppet-agent[5079]: Reopening log > files > Jan 28 18:21:56 s_sys@prov01.den.xxx.com puppet-agent[5079]: Could not > request certificate: Retrieved certificate does not match private key; > please remove certificate from server and regenerate it with the current key > > I can see that the client put files in the new ssl dir when it was started. > Dunno what else to do. > > Doug. > >Ugh. Not it works. *!* -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.