felix
2012-May-22 15:44 UTC
[Puppet Users] Puppet master does not list certificate request
This seems to be fairly common, and I''ve tried master clean and client remove and even tried removing all master / client ssl files and restarted the puppetmaster both client/server are running 2.7.14 I did have master running 2.6.4 the first time I tried and I DID get the certificates recognized. I ran into a problem and decided it was best that they were all running the same version. but now despite removing ssl/ it is still ignoring me the client sees: sudo puppet agent --test server=''blah.blah.com'' [sudo] password for crucial: warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session Exiting; no certificate found and waitforcert is disabled the master sees: puppet master version 2.7.14 err: Removing mount files: /etc/puppet/files does not exist info: access[^/catalog/([^/]+)$]: allowing ''method'' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing ''method'' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing ''method'' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing ''method'' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing ''method'' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing ''method'' find info: access[/certificate_request]: allowing ''method'' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: Inserting default ''~ ^/node/([^/]+)$'' (auth true) ACL because none were found in ''/etc/puppet/auth.conf'' info: Inserting default ''/status'' (auth true) ACL because none were found in ''/etc/puppet/auth.conf'' info: Could not find certificate for ''crucial-systems.com'' info: Could not find certificate for ''crucial-systems.com'' info: Could not find certificate for ''crucial-systems.com'' but there are no certs waiting to be signed: sudo puppet cert --list I''ve tried generating manually on master: sudo puppet cert generate crucial-systems.com which interestingly enough says: notice: crucial-systems.com has a waiting certificate request notice: Signed certificate request for crucial-systems.com notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at ''/var/lib/puppet/ssl/ca/requests/crucial-systems.com.pem'' notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at ''/var/lib/puppet/ssl/certificate_requests/crucial-systems.com.pem'' as though there was something waiting there the client now fails because the certificate does not match warning: peer certificate won''t be verified in this SSL session info: Caching certificate for crucial-systems.com err: Could not request certificate: The certificate retrieved from the master does not match the agent''s private key. Certificate fingerprint: 7F:7C:65:E6:4B:46:92:BC:47:09:6D:60:F5:EE:96:57 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean crucial-systems.com On the agent: rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem puppet agent -t Exiting; failed to retrieve certificate and waitforcert is disabled try doing what I''m told and remove the master (the one just generated) and the local files: # master sudo puppet cert clean crucial-systems.com notice: Revoked certificate with serial 8 notice: Removing file Puppet::SSL::Certificate crucial-systems.com at ''/var/lib/puppet/ssl/ca/signed/crucial-systems.com.pem'' notice: Removing file Puppet::SSL::Certificate crucial-systems.com at ''/var/lib/puppet/ssl/certs/crucial-systems.com.pem'' notice: Removing file Puppet::SSL::Key crucial-systems.com at ''/var/lib/puppet/ssl/private_keys/crucial-systems.com.pem'' # client sudo rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem and I''m right back where I started: the master sees the request and just ignores it, never stores any certificate request thanks ! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ODbi_vxj_wIJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
felix
2012-May-22 16:09 UTC
[Puppet Users] Re: Puppet master does not list certificate request
I''ve gotten it to work by removing the entire /var/lib/puppet/ssl on master and all clients. It seems quite finicky. more SSL errors now when I try to do any connection On Tuesday, May 22, 2012 5:44:35 PM UTC+2, felix wrote:> > > and even tried removing all master / client ssl files > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/etfK45cHs6UJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.