I have an RHE host that is managed by puppet. Some how it got the wrong host name in the rhn/systemid file which seemed to override everything else. I fixed this and rebooted the box and it came back with the correct host name which it got via dhcp. I removed the /etc/puppet/ssl directory on the client and did a pupetca --clean <old name> on the server. but now when I run puppetd I get: [rful011@mon225044 ~]$ sudo /usr/sbin/puppetd --test info: Creating a new SSL key for mon225044.insec.auckland.ac.nz warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session info: Caching certificate for mon225044.insec.auckland.ac.nz err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key It would really help with if these messages stated explicitly which keys and certs don''t match. I have gone through the /ssl dir with find looking for anything related to the old host name but failed to find anything. Suggestions on what to try next? Russell -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hi Russell, On the client, verify that the ssl dir is set to /etc/puppet/ssl (check puppet.conf). Remove the ssl dir contents. On server, do a ''find'' on the old/new hostname in the ssl dir. Remove any file match. On the client, run puppet --waitforcert 60 --server .... Should clear those issues. Sounds like you might have ssl in the var lib dir maybe? Cheers Den On 08/03/2011, at 11:29, "russell.fulton" <russell.fulton@gmail.com> wrote:> I have an RHE host that is managed by puppet. Some how it got the > wrong host name in the rhn/systemid file which seemed to override > everything else. > > I fixed this and rebooted the box and it came back with the correct > host name which it got via dhcp. > > I removed the /etc/puppet/ssl directory on the client and did a > pupetca --clean <old name> on the server. > > but now when I run puppetd I get: > > [rful011@mon225044 ~]$ sudo /usr/sbin/puppetd --test > info: Creating a new SSL key for mon225044.insec.auckland.ac.nz > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for ca > warning: peer certificate won''t be verified in this SSL session > info: Caching certificate for mon225044.insec.auckland.ac.nz > err: Could not request certificate: Retrieved certificate does not > match private key; please remove certificate from server and > regenerate it with the current key > > It would really help with if these messages stated explicitly which > keys and certs don''t match. I have gone through the /ssl dir with > find looking for anything related to the old host name but failed to > find anything. > > Suggestions on what to try next? > > Russell > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Mar 9, 12:03 am, Denmat <tu2bg...@gmail.com> wrote:> Hi Russell, > > On the client, verify that the ssl dir is set to /etc/puppet/ssl (check puppet.conf). Remove the ssl dir contents. > > On server, do a ''find'' on the old/new hostname in the ssl dir. Remove any file match. > > On the client, run puppet --waitforcert 60 --server .... > > Should clear those issues. Sounds like you might have ssl in the var lib dir maybe? >I had already done exactly that :) For the record what bit me this time was that I was not talking to the puppet server I thought I was. Sigh... so the third thing you need to do in this sort of situation is make sure you know which server is being addressed. The problem was in /etc/resolv.conf -- at one time a bad search path got pushed out which changed what "puppet" resolved to. This was months ago and I went around and fixed this by hand but I clearly missed this box which was not in active service. Last week that changed and I started pulling my hair out. :) In the end I ran tcpdump and found out what was going on. One thing that would help in situations like this is a bit more verbose output with --test including which server you are connecting to. After getting it talking to the right server I still did not get the cert request popping up on the server until I did a sudo rm -r /etc/ puppet/* I *had* removed ss/ dir.. Who knows :) anyway hopefully this ramble may prove useful to anybody else googling for certificate problems.... -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.