Hello list, I am having a problem with one of my puppet clients contacting the puppet server. All of my puppet nodes are working with the current manifest (such as it is, until I get a chance to develop it a little more). The server I am having issues with had to be re-provisioned. Once I did I started getting this message: [root@LCENT01:~] #puppetd --test --waitforcert 15 err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key So I rm''d the contents of the ssl directory on this client: [root@LCENT01:~] #rm -rf /var/lib/ssl/* Then I went to the puppet server and issued a puppetca --clean: [root@virtcent13:~] #puppetca --clean LCENT01.summitnjhome.com LCENT01.summitnjhome.com The puppet server responds with the name of the host indicating that it has already been cleaned. The server name I used for the clean directive matches the fqdn of the host I am attempting to re-add to the puppet servers''s cert list. [root@LCENT01:~] #facter | grep fqdn fqdn => LCENT01.summitnjhome.com AFAIK the puppetca --clean command should have taken care of this error. Can someone out there recommend the next steps to resolving this error? Thanks!!! -- GPG me!! gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi,
from afar, it''s hard to tell what your specific problem is.
Has your puppetmaster generated a new CSR for the machine? Maybe you
have to sign the new certificate; the master still stores a valid,
signed certificate for the machine, but the client has no use for it.
You need to convince your master to sign a new certificate (for which
the client actually has the private key).
From the helptext:
clean: Remove all files related to a host from puppet cert''s
storage. This is useful when rebuilding hosts, since new
certificate signing requests will only be honored if puppet
cert does not have a copy of a signed certificate for that
host. The certificate of the host remains valid. If
''--all''
is specified then all host certificates, both signed and
unsigned, will be removed.
Be mindful of the fact that the signed certificate remains valid (until
replaced?)
HTH,
Felix
On 02/14/2011 04:34 AM, Tim Dunphy wrote:> Hello list,
>
> I am having a problem with one of my puppet clients contacting the
> puppet server. All of my puppet nodes are working with the current
> manifest (such as it is, until I get a chance to develop it a little
> more).
>
> The server I am having issues with had to be re-provisioned. Once I
> did I started getting this message:
>
> [root@LCENT01:~] #puppetd --test --waitforcert 15
> err: Could not request certificate: Retrieved certificate does not
> match private key; please remove certificate from server and
> regenerate it with the current key
>
> So I rm''d the contents of the ssl directory on this client:
>
> [root@LCENT01:~] #rm -rf /var/lib/ssl/*
>
>
> Then I went to the puppet server and issued a puppetca --clean:
>
> [root@virtcent13:~] #puppetca --clean LCENT01.summitnjhome.com
> LCENT01.summitnjhome.com
>
> The puppet server responds with the name of the host indicating that
> it has already been cleaned.
>
> The server name I used for the clean directive matches the fqdn of the
> host I am attempting to re-add to the puppet servers''s cert list.
>
>
> [root@LCENT01:~] #facter | grep fqdn
> fqdn => LCENT01.summitnjhome.com
>
>
> AFAIK the puppetca --clean command should have taken care of this
> error. Can someone out there recommend the next steps to resolving
> this error?
>
> Thanks!!!
>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
On Feb 14, 2011, at 8:43 AM, Felix Frank wrote:> Hi, > > from afar, it''s hard to tell what your specific problem is. > > Has your puppetmaster generated a new CSR for the machine? Maybe you > have to sign the new certificate; the master still stores a valid, > signed certificate for the machine, but the client has no use for it. > You need to convince your master to sign a new certificate (for which > the client actually has the private key). > > From the helptext: > clean: Remove all files related to a host from puppet cert''s > storage. This is useful when rebuilding hosts, since new > certificate signing requests will only be honored if puppet > cert does not have a copy of a signed certificate for that > host. The certificate of the host remains valid. If ''--all'' > is specified then all host certificates, both signed and > unsigned, will be removed. > > Be mindful of the fact that the signed certificate remains valid (until > replaced?)Actually, they remain valid almost forever (I think it''s usually 10 years) unless revoked. Just replacing the certificate doesn''t make the signature less valid. The only way for a certificate to stop working, if you don''t change the root certificate, is to revoke it and have certificate revocation lists working. In 2.6.x I think certificates are revoked when cleaned, but I''m not sure. I know 0.25.x doesn''t. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.