Hi, When I start puppetd on my client machine I get this message in /var/ log/messages: Parsing /etc/puppet/puppet.conf reopening log files could not request certificate; retrieved certificate does not match private key; Please remove certificate from server and regenerate it with current key Could not retrieve catalog from remote server Using cached catalog Could not retrieve catalog skipping run. Has anyone seen this and know how to solve this problem? I saw in the Puppet Dashboard that nodes were not reporting which led me to finding the above messages in the logs. Thanks in advance for anyone''s help in solving this problem. Mike -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I get that message when I rebuild a server in place. Puppetmaster is complaining that the public key it expects for your node has changed. On your puppetmaster as root, do: find /var/lib/puppet/ssl/ -name $1.pem -delete sed ''/$1/d'' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt where $1 is the fqdn of the node. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<Michael.Itchue@ocfl.net>
2011-Jan-06 16:34 UTC
RE: [Puppet Users] Certificate / Private Key Mismatch
Hi Adam, Thanks for the information. I will give this a try. Mike -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Adam Heinz Sent: Thursday, January 06, 2011 11:30 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Certificate / Private Key Mismatch I get that message when I rebuild a server in place. Puppetmaster is complaining that the public key it expects for your node has changed. On your puppetmaster as root, do: find /var/lib/puppet/ssl/ -name $1.pem -delete sed ''/$1/d'' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt where $1 is the fqdn of the node. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. _____________________________________________________________________ PLEASE NOTE: Florida has a very broad public records law (F. S. 119). All e-mails to and from County Officials are kept as a public record. Your e-mail communications, including your e-mail address may be disclosed to the public and media at any time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2011-Jan-06 17:48 UTC
Re: [Puppet Users] Certificate / Private Key Mismatch
On Thu, Jan 6, 2011 at 08:29, Adam Heinz <amh@metricwise.net> wrote:> I get that message when I rebuild a server in place. Puppetmaster is > complaining that the public key it expects for your node has changed. > On your puppetmaster as root, do: > > find /var/lib/puppet/ssl/ -name $1.pem -delete > sed ''/$1/d'' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt > mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt > > where $1 is the fqdn of the node.A better way to do this is to use the Puppet CA application: ] puppet cert --clean $1 # $1 is the node name, as before (on older releases, puppetca --clean) That does pretty much the same thing, but does the right locking and everything else. Plus, if you suddenly need to start doing something more on the node puppet labs will update that application to do it, while the DIY version means you need to know what goes on inside our CA. :) Regards, Daniel -- ✉ Daniel Pittman <daniel@rimspace.net> ⌨ daniel@rimspace.net (XMPP) ☎ +1 503 893 2285 ♻ made with 100 percent post-consumer electrons -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<Michael.Itchue@ocfl.net>
2011-Jan-06 18:33 UTC
RE: [Puppet Users] Certificate / Private Key Mismatch
Hi Adam, This process seemed to work as far as keys go. However, when I restarted the puppetd client now I get a message In the log that states: Starting puppet client version 2.6.4 Could not retrieve catalog from remote server; hostname was not a match with the server certificate. Any ideas? Thanks, Mike -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Michael.Itchue@ocfl.net Sent: Thursday, January 06, 2011 11:35 AM To: puppet-users@googlegroups.com Subject: RE: [Puppet Users] Certificate / Private Key Mismatch Hi Adam, Thanks for the information. I will give this a try. Mike -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Adam Heinz Sent: Thursday, January 06, 2011 11:30 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Certificate / Private Key Mismatch I get that message when I rebuild a server in place. Puppetmaster is complaining that the public key it expects for your node has changed. On your puppetmaster as root, do: find /var/lib/puppet/ssl/ -name $1.pem -delete sed ''/$1/d'' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt where $1 is the fqdn of the node. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. _____________________________________________________________________ PLEASE NOTE: Florida has a very broad public records law (F. S. 119). All e-mails to and from County Officials are kept as a public record. Your e-mail communications, including your e-mail address may be disclosed to the public and media at any time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. _____________________________________________________________________ PLEASE NOTE: Florida has a very broad public records law (F. S. 119). All e-mails to and from County Officials are kept as a public record. Your e-mail communications, including your e-mail address may be disclosed to the public and media at any time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jan 6, 2011 at 12:48 PM, Daniel Pittman <daniel@rimspace.net> wrote:> A better way to do this is to use the Puppet CA application: > > ] puppet cert --clean $1 # $1 is the node name, as before > > (on older releases, puppetca --clean) > > That does pretty much the same thing, but does the right locking and > everything else. Plus, if you suddenly need to start doing something > more on the node puppet labs will update that application to do it, > while the DIY version means you need to know what goes on inside our > CA. :)Thanks for the tip. I don''t know why I didn''t think to checkif puppetca had that facility -- I call puppetca --sign just a couple lines below that in my bootstrap script. X-D -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Jan 6, 2011 at 1:33 PM, <Michael.Itchue@ocfl.net> wrote:> This process seemed to work as far as keys go. However, when I > restarted the puppetd client now I get a message > In the log that states: > Starting puppet client version 2.6.4 > Could not retrieve catalog from remote server; hostname was not a match > with the server certificate. Any ideas?When I paste your error message into Google, I get... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573416 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
<Michael.Itchue@ocfl.net>
2011-Jan-07 15:23 UTC
RE: [Puppet Users] Certificate / Private Key Mismatch
Hi Adam, Thanks for the link. I actually figured out the problem yesterday as being a name resolution issue. Sort of exactly what the Google bug article indicated. Mike -----Original Message----- From: puppet-users@googlegroups.com [mailto:puppet-users@googlegroups.com] On Behalf Of Adam Heinz Sent: Friday, January 07, 2011 9:18 AM To: puppet-users@googlegroups.com Subject: Re: [Puppet Users] Certificate / Private Key Mismatch On Thu, Jan 6, 2011 at 1:33 PM, <Michael.Itchue@ocfl.net> wrote:> This process seemed to work as far as keys go. However, when I >restarted the puppetd client now I get a message In the log that >states: > Starting puppet client version 2.6.4 > Could not retrieve catalog from remote server; hostname was not a >match with the server certificate. Any ideas?When I paste your error message into Google, I get... http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573416 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. _____________________________________________________________________ PLEASE NOTE: Florida has a very broad public records law (F. S. 119). All e-mails to and from County Officials are kept as a public record. Your e-mail communications, including your e-mail address may be disclosed to the public and media at any time. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Apparently Analagous Threads
- Creating client certificates
- Could not request certificate: Certificate does not match private key
- err: Could not retrieve catalog from remote server: certificate verify failed
- err: Could not retrieve catalog from remote server: certificate verify failed
- CA_Server woes