I don''t know what it is with puppet''s certificates, but once again, they are behaving strangely. Client is reporting: debug: Using cached certificate for auth01.fre.livegamer.com /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:166:in `certificate'' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:227:in `wait_for_cert'' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:194:in `setup_host'' /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:257:in `setup'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' /usr/sbin/puppetd:4 err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key I: Stopped puppet on client Removed /var/lib/puppet on client Cleaned certificate on server Restarted server Started puppet on client and again it occurs. It doesn''t happen every time, but often does after the first install of a new system. Also, puppet will be part way through it''s process, and then report the certificates are not valid. Performing the above steps _usually_ fixes it. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 04/11/2011 12:20 AM, Douglas Garstang wrote:> I don''t know what it is with puppet''s certificates, but once again, they > are behaving strangely. > > Client is reporting: > debug: Using cached certificate for auth01.fre.livegamer.com > <http://auth01.fre.livegamer.com> > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:166:in `certificate'' > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:227:in `wait_for_cert'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:194:in `setup_host'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:257:in `setup'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' > /usr/sbin/puppetd:4 > err: Could not request certificate: Retrieved certificate does not match > private key; please remove certificate from server and regenerate it > with the current key > > I: > Stopped puppet on client > Removed /var/lib/puppet on client > Cleaned certificate on server > Restarted server > Started puppet on client > > and again it occurs. It doesn''t happen every time, but often does after > the first install of a new system. Also, puppet will be part way through > it''s process, and then report the certificates are not valid. Performing > the above steps _usually_ fixes it.Hi, this sounds weird. Are you sure you''re not loosing the key on your agents somehow? If so, you may want to establish logging like "once an hour, dump a hash of my priv key to syslog". You''re either loosing your key, or the certificates on your master get replaced somehow at some point. Which would be equally startling. HTH, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Not sure if the book has been closed on this, but I had this problem recently on new installs. The problem was fixed by keeping the hosts in time sync. They were 5 hours out of sync. Not sure why this caused an issue unless there is some sort of SSL computation issue? Your mileage may vary.... L. On Sun, Apr 10, 2011 at 6:20 PM, Douglas Garstang <doug.garstang@gmail.com> wrote:> I don''t know what it is with puppet''s certificates, but once again, they are > behaving strangely. > Client is reporting: > debug: Using cached certificate for auth01.fre.livegamer.com > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:166:in `certificate'' > /usr/lib/ruby/site_ruby/1.8/puppet/ssl/host.rb:227:in `wait_for_cert'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:194:in `setup_host'' > /usr/lib/ruby/site_ruby/1.8/puppet/application/agent.rb:257:in `setup'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:393:in `exit_on_fail'' > /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:286:in `run'' > /usr/sbin/puppetd:4 > err: Could not request certificate: Retrieved certificate does not match > private key; please remove certificate from server and regenerate it with > the current key > I: > Stopped puppet on client > Removed /var/lib/puppet on client > Cleaned certificate on server > Restarted server > Started puppet on client > and again it occurs. It doesn''t happen every time, but often does after the > first install of a new system. Also, puppet will be part way through it''s > process, and then report the certificates are not valid. Performing the > above steps _usually_ fixes it. > Doug. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Lance Reed wrote:> Not sure if the book has been closed on this, but I had this problem > recently on new installs. > The problem was fixed by keeping the hosts in time sync. They were 5 > hours out of sync. > Not sure why this caused an issue unless there is some sort of SSL > computation issue? > > Your mileage may vary....SSL relies on the time on the different hosts being in sync otherwise it assumes certificates are invalid or bogus. It''s a security feature of SSL. Regards James Turnbull -- James Turnbull Puppet Labs 1-503-734-8571 -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 2011-04-18 05:48, James Turnbull wrote:> Lance Reed wrote: >> Not sure if the book has been closed on this, but I had this problem >> recently on new installs. >> The problem was fixed by keeping the hosts in time sync. They were 5 >> hours out of sync. >> Not sure why this caused an issue unless there is some sort of SSL >> computation issue?> SSL relies on the time on the different hosts being in sync otherwise it > assumes certificates are invalid or bogus. It''s a security feature of SSL.More specifically, a certificate is only valid within a certain period of time. If you look at the certificate using $ openssl x509 -in /var/lib/puppet/ssl/certs/HOSTNAME.pem -noout -text you will find some lines saying something like: Validity Not Before: Apr 8 10:02:43 2011 GMT Not After : Apr 6 10:02:43 2016 GMT When the server validates the client, it compare its own clock against those two times from the client''s certificate, and if it is before the "not before" or after the "not after", it will reject the client. Likewise, when the client validates the server, it checks that the server''s certificate is valid according to the client''s own clock. Thus, the client and server doesn''t actually need to have their clocks in sync. But if you are going to use a certificate that was issued just a couple of seconds ago, it certainly helps... In principle, a CA can antedate or postdate certificates it issues, i.e. write a date earlier or later than the issuing date in the "Not valid before" field, and thus say "it started being valid X days before I signed it" or "it doesn''t become valid until Y days after I signed it", but usually they just write the exact timepoint at which they signed it. The CA built into Puppet does that. /Bellman -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.