Puppet users - Oct 2012 - Puppet 3 and master cert error ...

Hey all,

after installing the 3.0.0 version of puppet (debian package from 
puppetlabs), doing the initial config, doing an initial start of master to 
generate the certs needed and then starting apache with passenger to 
control puppetmaster. I can do:

puppet ca list --all

and get a listing of the certs in the system (initially only the master).

afterwards, on the client node, I run:

puppet -t -d --waitforcert 60 --server netadmin.domain.tld

The client node generates its cert and pushes to master. on master I can 
see the request with:

puppet ca list

sign the request:

puppet ca sign ns3.domain.tld

and afterwards if I do:

puppet ca list --all

I get the following:

Error: The certificate retrieved from the master does not match the
agent''s
private key.
Certificate fingerprint: 
8F:24:92:B9:89:0C:E7:04:C5:3F:B6:11:F8:13:4B:6A:9E:F4:EA:08:E7:4E:75:1B:DA:1C:A6:47:04:DB:55:81
To fix this, remove the certificate from both the master and the agent and 
then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean netadmin.domain.tld
On the agent:
  rm -f /var/lib/puppet/ssl/certs/netadmin.domain.tld.pem
  puppet agent -t

Error: Try ''puppet help ca list'' for usage


Does anyone have an idea what is going on here? if not I will open a ticket.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/Gu9MWOsConUJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

here is more info:

puppet master config /etc/puppet/puppet
[main]
logdir=/var/log/puppet
vardir=/var/lib/puppet
ssldir=/var/lib/puppet/ssl
rundir=/var/run/puppet
factpath=$vardir/lib/facter
templatedir=$confdir/templates

[master]
# These are needed when the puppetmaster is run by passenger
# and can safely be removed if webrick is used.
ssl_client_header = SSL_CLIENT_S_DN
ssl_client_verify_header = SSL_CLIENT_VERIFY
node_terminus = exec
external_nodes = /usr/bin/env PUPPET_DASHBOARD_URL=http://localhost:
8141/dashboard /usr/share/puppet-dashboard/bin/external_node
reports = store, http
reporturl = http://netadmin.domain.tld:8141/reports/upload



steps to reproduce on master:

root@netadmin:/var/lib/puppet/ssl# puppet cert clean --all
root@netadmin:/var/lib/puppet/ssl# puppet master --no-daemonize --
verbose
   ......... puppetmaster startup ............
                Ctrl-C to stop
root@netadmin:/var/lib/puppet/ssl# puppet ca list --all
+ netadmin.domain.tld  (SHA256) 57:9D:
95:66:0C:B3:37:7C:F1:7D:B2:41:35:47:08:9F:D9:1B:9F:2C:57:F9:D1:20:3B:
1B:FE:27:37:16:87:ED
root@netadmin:/var/lib/puppet/ssl# service apache2 start
Starting web server: apache2.
-------master end--------

-------client---------
root@ns3:~# cd /var/lib/puppet/ssl/
root@ns3:/var/lib/puppet/ssl# find -name *domain.tld* -delete
root@ns3:/var/lib/puppet/ssl# puppet agent -t -d --waitforcert
60
-------client end-----

-------master----------
root@netadmin:/var/lib/puppet/ssl# puppet ca list --all
+ netadmin.domain.tld  (SHA256) 57:9D:
95:66:0C:B3:37:7C:F1:7D:B2:41:35:47:08:9F:D9:1B:9F:2C:57:F9:D1:20:3B:
1B:FE:27:37:16:87:ED
root@netadmin:/var/lib/puppet/ssl# puppet ca list
  ns3.domain.tld       (SHA256) 26:72:D4:3A:9C:EE:8B:73:25:1B:
0C:EC:FB:BB:C9:DA:D9:FE:74:35:B5:F5:35:43:F5:91:82:FB:98:E7:3F:D8
root@netadmin:/var/lib/puppet/ssl/ca# puppet ca sign ns3.domain.tld
Signed certificate request for ns3.domain.tld
Removing file Puppet::SSL::CertificateRequest ns3.domain.tld at ''/var/
lib/puppet/ssl/ca/requests/ns3.domain.tld.pem''
"-----BEGIN CERTIFICATE-----
\nMIIFYTCCA0mgAwIBAgIBCjANBgkqhkiG9w0BAQsFADAtMSswKQYDVQQDDCJQdXBw
\nZXQgQ0E6IG5ldGFkbWluLm1vbC1zZXJ2ZXJzLmRlMB4XDTEyMTAxNDA5MjAzN1oX
\nDTE3MTAxNDA5MjAzN1owHTEbMBkGA1UEAwwSbnMzLm1vbC1zZXJ2ZXJzLmRlMIIC
\nIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAu6x+f9jbOHZVb6rXyymVpxPY
\n92wFIl+5FmKfQ+LhXM3CrrQURc/pDlBeqVyVEwo584c4szcS1pqQ4mv4oLla4g+P
\npuQTG9fWILTXOs59dSH6hH3Vk8nrvcQoyffs3yJsjLrJEkTQO+TCSDBVDka2RCWe
\nFKZhsQHwSMiriCrN43MqSgoLCX4BaVIryCQ03M6KCNvfkCo02Mme7GhOElnHSRAM
\nictGHeM8wjogz+WUF1V+Ox2ixucI6Oc4nSzzJ05l3hxRrTaL+u4MLRDpQjFgCDje
\nFDJB2cupwELoGvbXQollRJVIIWtpRYRb6KgOmyQq2oAzOBNruziGNLflkA5PnL0C
\nlsNBmYnTRU1sklz5Z9uxQqOfU7af0I6toXUOLI81BiaLkqfyp8gWvHWOgCt9xjOz
\nxvzv2MyfhXtJY+YkSGKartdGnqVECiUej9QdrF2fvl7mrWD76D
+yauiQtTg8zdn2\nfU0lZBQ6IKHhK7XK00c98/AcIVBrTBspnWgwWPoLJ
+mP8hsTK95azlbojpN1EHlh\nfHYR+tRcwR9c6edLpnWdJAzRtdjB5/
wOrYMuIgJXggMC7wr6vk98PFc4bvOoVt0e
\nH0inF9p217DiNhzunZKgtfrCWymKdxpCZAAceKb6Ngaj391TdleU9g8WVsoxPT99\ng
+vyKBISING84xPPAnkCAwEAAaOBmzCBmDAMBgNVHRMBAf8EAjAAMDcGCWCGSAGG\n
+EIBDQQqFihQdXBwZXQgUnVieS9PcGVuU1NMIEludGVybmFsIENlcnRpZmljYXRl
\nMA4GA1UdDwEB/wQEAwIFoDAdBgNVHQ4EFgQUcZmVS/ERSxDb8J6RSqUjs65x8tww
\nIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA0GCSqGSIb3DQEBCwUA
\nA4ICAQBjjU+xRQVbY7p4atH8n2Vper7JSaS72DMc5nhLFmALG05S6S61aIjJTfSl
\nQT8h/Prm6HaltGYOV/YsRZZO2MCNdkNx0aSnuMl
+UNU1V0cWcypG7dYaODgXFPD6\nZj0/u6WnJWtbAvtrogXjkbm6XIg35rJswKx7CTJ/
hlsXhEfD8uqX88Wf6omRkL8g\nt/
IfUWmlrShjToi5CggGIderIgykHsbrsIwcXby6ab7q0hlLycPU6gtzy8xOTelW
\neXe3WSiRWUTzljVXEwp428N2QXRE+rf5LB5WZ3xl/4eCIUbGj4GbMo2xSx7lzKQG
\ng7H6w6RLVFz9SdwGffwrNNS9qMrbLv85Ism+Jh2rW1VStJu2ygi1rX47aC/o/UZa
\npWHpXMzRL922p7r9Q5N/B+EdL1U8aQvf+gZ0YAuGlRxpn0cJGmsjb24TJtEmYxBZ
\nzTGWqOraH9FAPd3aBklUw/l3SQ1Z4mfLAWIc89fnIsej1Rm7hkqOU0+jCUochFxu
\nSmHXNWmMc2P8pjjor+vhPhuN8f1x1qw8Qqhhwi4e8VnUnFD1G03d9E8Ybg8Id3sR
\nY3GDcYjgFRZsXUm8IWnz46NykE+V/zoBvGDzYpgwM0WgDORJD1DBweuP3xfTj+cJ\n/
6pUfiSQcC+ofoklbnIZ57Inc4k8xqHGc+JaxRx1Fd7VrjIktQ==\n-----END
CERTIFICATE-----\n"
root@netadmin:/var/lib/puppet/ssl/ca# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent''s private key.
Certificate fingerprint: 57:9D:
95:66:0C:B3:37:7C:F1:7D:B2:41:35:47:08:9F:D9:1B:9F:2C:57:F9:D1:20:3B:
1B:FE:27:37:16:87:ED
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
  puppet cert clean netadmin.domain.tld
On the agent:
  rm -f /var/lib/puppet/ssl/certs/netadmin.domain.tld.pem
  puppet agent -t

Error: Try ''puppet help ca list'' for usage

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On 15 Okt., 13:16, t00_m4d_f00 <t00_m4d_...@web.de>
wrote:
> root@netadmin:/var/lib/puppet/ssl/ca# puppet ca list --all
> Error: The certificate retrieved from the master does not match the
> agent''s private key.
> Certificate fingerprint: 57:9D:
> 95:66:0C:B3:37:7C:F1:7D:B2:41:35:47:08:9F:D9:1B:9F:2C:57:F9:D1:20:3B:
> 1B:FE:27:37:16:87:ED
> To fix this, remove the certificate from both the master and the agent
> and then start a puppet run, which will automatically regenerate a
> certficate.
> On the master:
>   puppet cert clean netadmin.domain.tld
> On the agent:
>   rm -f /var/lib/puppet/ssl/certs/netadmin.domain.tld.pem
>   puppet agent -t
>
> Error: Try ''puppet help ca list'' for usage
sorry, the error should be:

Error: The certificate retrieved from the master does not match the
agent''s private key.
Certificate fingerprint: DF:D4:9A:FE:A8:B2:50:74:E3:47:15:FA:7A:D1:9E:
57:06:D5:3D:9B:A5:6D:A4:82:DF:EB:E0:4E:89:FC:97:01
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
  puppet cert clean netadmin.mol-servers.de
On the agent:
  rm -f /var/lib/puppet/ssl/certs/netadmin.mol-servers.de.pem
  puppet agent -t

Error: Try ''puppet help ca list'' for usage


The cert fingerprint that is shown is different than the prints shown
prior to signing the node cert.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

I have just started installing Puppet 3 to a test environment and had the 
same thing happen to me.  Following the instructions listed in the error 
didn''t solve the problem either.  It wasn''t until I revoked
the certificate
and generated a new one did it start working.  I believe this occurred when 
I accidentally ran puppet agent -t as a regular user instead of root.  I 
copied the commands below that fixed this error for me:

[SERVER]
# puppet cert --revoke node.test.edu
# puppet cert --clean node.test.edu

[CLIENT]
# service puppet stop
# rm -rf /var/lib/puppet/ssl
# service puppet start
# puppet agent --test

[SERVER]
# puppet cert --sign node.test.edu

[CLIENT]
# puppet agent --test


On Monday, October 15, 2012 6:20:40 AM UTC-5, t00_m4d_f00
wrote:
>
>
>
> On 15 Okt., 13:16, t00_m4d_f00 <t00_m4d_...@web.de> wrote: 
> > root@netadmin:/var/lib/puppet/ssl/ca# puppet ca list --all 
> > Error: The certificate retrieved from the master does not match the 
> > agent''s private key. 
> > Certificate fingerprint: 57:9D: 
> > 95:66:0C:B3:37:7C:F1:7D:B2:41:35:47:08:9F:D9:1B:9F:2C:57:F9:D1:20:3B: 
> > 1B:FE:27:37:16:87:ED 
> > To fix this, remove the certificate from both the master and the agent
> > and then start a puppet run, which will automatically regenerate a 
> > certficate. 
> > On the master: 
> >   puppet cert clean netadmin.domain.tld 
> > On the agent: 
> >   rm -f /var/lib/puppet/ssl/certs/netadmin.domain.tld.pem 
> >   puppet agent -t 
> > 
> > Error: Try ''puppet help ca list'' for usage 
>
> sorry, the error should be: 
>
> Error: The certificate retrieved from the master does not match the 
> agent''s private key. 
> Certificate fingerprint: DF:D4:9A:FE:A8:B2:50:74:E3:47:15:FA:7A:D1:9E: 
> 57:06:D5:3D:9B:A5:6D:A4:82:DF:EB:E0:4E:89:FC:97:01 
> To fix this, remove the certificate from both the master and the agent 
> and then start a puppet run, which will automatically regenerate a 
> certficate. 
> On the master: 
>   puppet cert clean netadmin.mol-servers.de 
> On the agent: 
>   rm -f /var/lib/puppet/ssl/certs/netadmin.mol-servers.de.pem 
>   puppet agent -t 
>
> Error: Try ''puppet help ca list'' for usage 
>
>
> The cert fingerprint that is shown is different than the prints shown 
> prior to signing the node cert. 
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/7Ur8ogQ_lPAJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.