Hi mate,
I use Puppet 2.6 but in this situation would run:
From puppetmaster
puppetca --revoke agent.foo.com
puppetcat --clean agent.foo.com
From agent
rm -rf /var/lib/puppet/ssl
puppetd --waitforcert 30 --server puppetmaster -v
From puppetmaster
puppetca --sign agent.foo.com
On Thursday, October 4, 2012 4:14:14 AM UTC+1, mike sonero
wrote:>
>
> Hi All,
>
> I apologize for what I''m sure is a very boneheaded question, but
I''m
> stuck. I have a number of puppet agents all talking to the same master.
> Things worked great until at some point one of the agents stopped talking
> to the master - I''m not sure why that happened. I decided to wipe
its key
> from the master and "start fresh". Unfortunately I
haven''t had any luck
> getting them to play nicely.
>
> The agent is running 2.7.11. The master is running 2.7.1. They can ping,
> do hostname lookups, etc to each other.
>
> When I attempt a manual update from the agent I see:
> ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> warning: peer certificate won''t be verified in this SSL session
> Exiting; no certificate found and waitforcert is disabled
>
> Doing a "sudo puppet cert list" on the master shows nothing
pending.
> Running the server with debugging turned on shows the following:
> ubuntu@puppet:/var/lib$ sudo puppetmasterd --no-daemonize --debug
> --verbose
> ...startup...
> info: access[^/catalog/([^/]+)$]: allowing ''method''
find
> info: access[^/catalog/([^/]+)$]: allowing $1 access
> info: access[^/node/([^/]+)$]: allowing ''method'' find
> info: access[^/node/([^/]+)$]: allowing $1 access
> info: access[/certificate_revocation_list/ca]: allowing
''method'' find
> info: access[/certificate_revocation_list/ca]: allowing * access
> info: access[/report]: allowing ''method'' save
> info: access[/report]: allowing * access
> info: access[/file]: allowing * access
> info: access[/certificate/ca]: adding authentication no
> info: access[/certificate/ca]: allowing ''method'' find
> info: access[/certificate/ca]: allowing * access
> info: access[/certificate/]: adding authentication no
> info: access[/certificate/]: allowing ''method'' find
> info: access[/certificate/]: allowing * access
> info: access[/certificate_request]: adding authentication no
> info: access[/certificate_request]: allowing ''method''
find
> info: access[/certificate_request]: allowing ''method''
save
> info: access[/certificate_request]: allowing * access
> info: access[/]: adding authentication any
> info: Inserting default ''/status''(auth) ACL because
none were found in
> ''/etc/puppet/auth.conf''
> info: Could not find certificate for ''agent.foo.com''
> info: Could not find certificate for ''agent.foo.com''
> info: Could not find certificate for ''agent.foo.com''
>
> I tried generating a key on the server (even though it said there was no
> pending request) with:
> cert generate agent.foo.com
>
> However, the client then reported:
> ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose
> --waitforcert 120
> err: Could not request certificate: The certificate retrieved from the
> master does not match the agent''s private key.
> Certificate fingerprint: 51:E2:EC:3B:28:39:FB:24:95:38:AD:FE:D0:89:8C:93
> To fix this, remove the certificate from both the master and the agent
> and then start a puppet run, which will automatically regenerate a
> certficate.
> On the master:
> puppet cert clean agent.foo.com
> On the agent:
> rm -f /var/lib/puppet/ssl/certs/agent.foo.com.pem
> puppet agent -t
>
> I followed those instructions, but now am back at the beginning...
>
> If anybody has ideas on things I might try I''d really appreciate
it!
> Sorry if I didn''t include the right info. /var/log/syslog seemed
pretty
> empty.
>
> Thanks,
> - mike
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/UYOw8wirADsJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.