This is me trying to get my puppetmaster to work also as a client. I used to work, then I cleaned out all the certs by accident. -_- I can''t find anything in the list about exactly this issue. Help, please? $ puppetd -tv warning: peer certificate won''t be verified in this SSL session err: Could not request certificate: Certificate does not match private key. Try ''puppetca --clean chain.digitalkingdom.org'' on the server. $ puppetca --clean chain.digitalkingdom.org Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem $ puppetca --list No certificates to sign $ puppetd -tv warning: peer certificate won''t be verified in this SSL session notice: Did not receive certificate notice: Set to run ''one time''; exiting with no certificate $ puppetca --list chain.digitalkingdom.org $ puppetca --sign chain.digitalkingdom.org Signed chain.digitalkingdom.org $ puppetca --list No certificates to sign $ puppetd -tv warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL key at /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem err: Could not request certificate: Certificate does not match private key. Try ''puppetca --clean chain.digitalkingdom.org'' on the server. -Robin -- They say: "The first AIs will be built by the military as weapons." And I''m thinking: "Does it even occur to you to try for something other than the default outcome?" See http://shrunklink.com/cdiz http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
matt.adams@cypressinteractive.com
2009-Aug-12 08:04 UTC
[Puppet Users] Re: Key signing problem.
Thank you for your message. I am out of the office until August 17th and will respond after I return. Thank you! --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
This happens a lot for me. For the Ubuntu distro this happens when I don''t run via root/puppet. Usualy it''s beacause the current user doesn''t have access to the certificates. Try a sudo puppetd --test or sudo puppetd -tv if you wish. I''m guessing that it''s you case too. I get the same error when running without sudo (or init scripts), and thow I recreate the certificate nothing happens. Silviu On Wed, 12 Aug 2009 01:03:02 -0700, Robin Lee Powell <rlpowell@digitalkingdom.org> wrote:> This is me trying to get my puppetmaster to work also as a client. > I used to work, then I cleaned out all the certs by accident. -_- > > I can''t find anything in the list about exactly this issue. Help, > please? > > $ puppetd -tv > warning: peer certificate won''t be verified in this SSL session > err: Could not request certificate: Certificate does not match privatekey.> Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > $ puppetca --clean chain.digitalkingdom.org > Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > $ puppetca --list > No certificates to sign > $ puppetd -tv > warning: peer certificate won''t be verified in this SSL session > notice: Did not receive certificate > notice: Set to run ''one time''; exiting with no certificate > $ puppetca --list > chain.digitalkingdom.org > $ puppetca --sign chain.digitalkingdom.org > Signed chain.digitalkingdom.org > $ puppetca --list > No certificates to sign > $ puppetd -tv > warning: peer certificate won''t be verified in this SSL session > info: Creating a new SSL key at > /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > err: Could not request certificate: Certificate does not match privatekey.> Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > > -Robin--~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
Everything I pasted was being run as root; I was logged in as root at the time. Oh, and: it gets better. I stopped the puppetmaster, and now can''t start it: $ puppetca --clean chain.digitalkingdom.org Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem $ puppetca --clean chain.digitalkingdom.org Could not find client certificate or request for chain.digitalkingdom.org $ /etc/init.d/puppetmaster start Starting puppet configuration management tool master serverCertificate does not match private key. Try ''puppetca --clean chain.digitalkingdom.org'' on the server. failed! $ puppetca --clean chain.digitalkingdom.org Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem -Robin On Wed, Aug 12, 2009 at 05:06:36PM +0300, Silviu Paragina wrote:> > > This happens a lot for me. For the Ubuntu distro this happens when > I don''t run via root/puppet. Usualy it''s beacause the current user > doesn''t have access to the certificates. Try a sudo puppetd --test > or sudo puppetd -tv if you wish. I''m guessing that it''s you case > too. I get the same error when running without sudo (or init > scripts), and thow I recreate the certificate nothing happens. > > > > Silviu > > On Wed, 12 Aug 2009 01:03:02 -0700, Robin Lee Powell > <rlpowell@digitalkingdom.org> wrote: > > This is me trying to get my puppetmaster to work also as a client. > > I used to work, then I cleaned out all the certs by accident. -_- > > > > I can''t find anything in the list about exactly this issue. Help, > > please? > > > > $ puppetd -tv > > warning: peer certificate won''t be verified in this SSL session > > err: Could not request certificate: Certificate does not match private > key. > > Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > > $ puppetca --clean chain.digitalkingdom.org > > Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem > > Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem > > Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > > $ puppetca --list > > No certificates to sign > > $ puppetd -tv > > warning: peer certificate won''t be verified in this SSL session > > notice: Did not receive certificate > > notice: Set to run ''one time''; exiting with no certificate > > $ puppetca --list > > chain.digitalkingdom.org > > $ puppetca --sign chain.digitalkingdom.org > > Signed chain.digitalkingdom.org > > $ puppetca --list > > No certificates to sign > > $ puppetd -tv > > warning: peer certificate won''t be verified in this SSL session > > info: Creating a new SSL key at > > /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > > err: Could not request certificate: Certificate does not match private > key. > > Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > > > > -Robin > > > >-- They say: "The first AIs will be built by the military as weapons." And I''m thinking: "Does it even occur to you to try for something other than the default outcome?" See http://shrunklink.com/cdiz http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---
FWIW, the following seems to have fixed it: mv /var/lib/puppet/ssl /var/tmp mkdir /var/lib/puppet/ssl chmod 700 /var/lib/puppet/ssl /etc/init.d/puppetmaster start I also had to move the ssl dir for all the clients, and resign things. -Robin On Wed, Aug 12, 2009 at 10:07:30AM -0700, Robin Lee Powell wrote:> > Everything I pasted was being run as root; I was logged in as root > at the time. > > Oh, and: it gets better. I stopped the puppetmaster, and now can''t > start it: > > $ puppetca --clean chain.digitalkingdom.org > Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > $ puppetca --clean chain.digitalkingdom.org > Could not find client certificate or request for chain.digitalkingdom.org > $ /etc/init.d/puppetmaster start > Starting puppet configuration management tool master serverCertificate does not match private key. Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > failed! > $ puppetca --clean chain.digitalkingdom.org > Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem > Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > > -Robin > > On Wed, Aug 12, 2009 at 05:06:36PM +0300, Silviu Paragina wrote: > > > > > > This happens a lot for me. For the Ubuntu distro this happens when > > I don''t run via root/puppet. Usualy it''s beacause the current user > > doesn''t have access to the certificates. Try a sudo puppetd --test > > or sudo puppetd -tv if you wish. I''m guessing that it''s you case > > too. I get the same error when running without sudo (or init > > scripts), and thow I recreate the certificate nothing happens. > > > > > > > > Silviu > > > > On Wed, 12 Aug 2009 01:03:02 -0700, Robin Lee Powell > > <rlpowell@digitalkingdom.org> wrote: > > > This is me trying to get my puppetmaster to work also as a client. > > > I used to work, then I cleaned out all the certs by accident. -_- > > > > > > I can''t find anything in the list about exactly this issue. Help, > > > please? > > > > > > $ puppetd -tv > > > warning: peer certificate won''t be verified in this SSL session > > > err: Could not request certificate: Certificate does not match private > > key. > > > Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > > > $ puppetca --clean chain.digitalkingdom.org > > > Removing /var/lib/puppet/ssl/ca/signed/chain.digitalkingdom.org.pem > > > Removing /var/lib/puppet/ssl/public_keys/chain.digitalkingdom.org.pem > > > Removing /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > > > $ puppetca --list > > > No certificates to sign > > > $ puppetd -tv > > > warning: peer certificate won''t be verified in this SSL session > > > notice: Did not receive certificate > > > notice: Set to run ''one time''; exiting with no certificate > > > $ puppetca --list > > > chain.digitalkingdom.org > > > $ puppetca --sign chain.digitalkingdom.org > > > Signed chain.digitalkingdom.org > > > $ puppetca --list > > > No certificates to sign > > > $ puppetd -tv > > > warning: peer certificate won''t be verified in this SSL session > > > info: Creating a new SSL key at > > > /var/lib/puppet/ssl/private_keys/chain.digitalkingdom.org.pem > > > err: Could not request certificate: Certificate does not match private > > key. > > > Try ''puppetca --clean chain.digitalkingdom.org'' on the server. > > > > > > -Robin > > > > > > > > > -- > They say: "The first AIs will be built by the military as weapons." > And I''m thinking: "Does it even occur to you to try for something > other than the default outcome?" See http://shrunklink.com/cdiz > http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/ > > > >-- They say: "The first AIs will be built by the military as weapons." And I''m thinking: "Does it even occur to you to try for something other than the default outcome?" See http://shrunklink.com/cdiz http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/ --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en -~----------~----~----~----~------~----~------~--~---