I have a problem bother me for few days. I install puppet on three nodes which consist of the the same kind of parts. One is used as puppet server and rest two are used as puppet clients. Also, I Synchronized the date before I installed puppet. For puppet server, I use autosign and set puppet certname as ”puppet”. For clients, I use the default configurations. One client can run puppet without any problem. Another client runs puppet without error at the firs time. But error occurs from second time. --------------------------------------------------------------------------------------------- err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key Exiting; failed to retrieve certificate and waitforcert is disabled --------------------------------------------------------------------------------------------- I use command "puppetca --clean hostname" to clean the ca at puppet server, and use command "find /var/lib/puppet -type f -print0 |xargs -0r rm" to clean ssl ca at client. If I do not reboot client, I will alway get 403 forbiden error. If I reboot client, I can run "puppetd --test" for the first time, but get the same error from second time. The problems are: I use the same configuration at clients, Why can one client run without error but another cannot. And how can I solve this problem? Thank you. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On May 20, 11:53 pm, shanghainese <niji...@gmail.com> wrote:> I have a problem bother me for few days. > I install puppet on three nodes which consist of the the same kind of > parts. One is used as puppet server and rest two are used as puppet > clients. Also, I Synchronized the date before I installed puppet. > > For puppet server, I use autosign and set puppet certname as ”puppet”. > For clients, I use the default configurations. > > One client can run puppet without any problem. > Another client runs puppet without error at the firs time. But error > occurs from second time. > --------------------------------------------------------------------------------------------- > err: Could not request certificate: Retrieved certificate does not > match private key; please remove certificate from server and > regenerate it with the current key > Exiting; failed to retrieve certificate and waitforcert is disabled > --------------------------------------------------------------------------------------------- > > I use command "puppetca --clean hostname" to clean the ca at puppet > server, and use command "find /var/lib/puppet -type f -print0 |xargs > -0r rm" to clean ssl ca at client. > > If I do not reboot client, I will alway get 403 forbiden error. > If I reboot client, I can run "puppetd --test" for the first time, but > get the same error from second time. > > The problems are: I use the same configuration at clients, Why can one > client run without error but another cannot. And how can I solve this > problem?The error you describe strongly suggests that your two client nodes are trying to use the same certname on their own SSL certificates. With a default Puppet agent configuration, the certname is the client''s hostname at the time the certificate was generated. I speculate that one or both of these are true: 1) The client nodes'' hostnames were left at some installation default value up through the time of their first Puppet runs. For example, they might both be named "localhost.localdomain". or 2) One client node was created from a disk image of the other, or both were created from the same pre-built image, without assigning distinct names to each client. If you find that the clients indeed have the same name, then I suggest starting completely fresh on the SSL front: shut down the master and agent services, wipe out Puppet''s SSL directories on all of the machines, set distinct names on all the machines, then proceed as before. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Thank you for your repley. I figured it out. Because I has not set FQDN, when clients access server, there would be more than one certificates generated for each client. One of the clients could not generate sencond certificate successfully. This occured error. Now I set FQDN, only one certificate generated for each client, and error fixed. On Mon, May 21, 2012 at 10:24 PM, jcbollinger <John.Bollinger@stjude.org>wrote:> > > On May 20, 11:53 pm, shanghainese <niji...@gmail.com> wrote: > > I have a problem bother me for few days. > > I install puppet on three nodes which consist of the the same kind of > > parts. One is used as puppet server and rest two are used as puppet > > clients. Also, I Synchronized the date before I installed puppet. > > > > For puppet server, I use autosign and set puppet certname as ”puppet”. > > For clients, I use the default configurations. > > > > One client can run puppet without any problem. > > Another client runs puppet without error at the firs time. But error > > occurs from second time. > > > --------------------------------------------------------------------------------------------- > > err: Could not request certificate: Retrieved certificate does not > > match private key; please remove certificate from server and > > regenerate it with the current key > > Exiting; failed to retrieve certificate and waitforcert is disabled > > > --------------------------------------------------------------------------------------------- > > > > I use command "puppetca --clean hostname" to clean the ca at puppet > > server, and use command "find /var/lib/puppet -type f -print0 |xargs > > -0r rm" to clean ssl ca at client. > > > > If I do not reboot client, I will alway get 403 forbiden error. > > If I reboot client, I can run "puppetd --test" for the first time, but > > get the same error from second time. > > > > The problems are: I use the same configuration at clients, Why can one > > client run without error but another cannot. And how can I solve this > > problem? > > > The error you describe strongly suggests that your two client nodes > are trying to use the same certname on their own SSL certificates. > With a default Puppet agent configuration, the certname is the > client''s hostname at the time the certificate was generated. I > speculate that one or both of these are true: > > 1) The client nodes'' hostnames were left at some installation default > value up through the time of their first Puppet runs. For example, > they might both be named "localhost.localdomain". > > or > > 2) One client node was created from a disk image of the other, or both > were created from the same pre-built image, without assigning distinct > names to each client. > > If you find that the clients indeed have the same name, then I suggest > starting completely fresh on the SSL front: shut down the master and > agent services, wipe out Puppet''s SSL directories on all of the > machines, set distinct names on all the machines, then proceed as > before. > > > John > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.