Hello everyone, Just getting my first puppet master set up and I am having a problem that I just do not know how to get past. For some reason, my certificate store keeps getting corrupted. Basically what happens is that the server will issue itself a valid certificate (after removing the ''bad'' cert) and will run just fine. When I start puppetDB (I am pretty sure it happens around here) on the system though, running the command ''puppet ca list --all'' on the PuppetMaster, I get the following: Error: The certificate retrieved from the master does not match the agent''s private key. Certificate fingerprint: *<fingerprint removed>* To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean puppetmaster.site On the agent: rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem puppet agent -t Error: Try ''puppet help ca list'' for usage I have tried following said instructions which did not work at all. Eventually I was able to build it down to the following steps to regenerate the certificate store: # service puppetmaster stop # service puppetdb stop # service puppet stop # find $(puppet master --configprint ssldir) -name "$(puppet master --configprint certname).pem" -delete # rm -rf /var/lib/puppet/ssl # puppet master --no-daemonize --debug --verbose --trace (kill it when it says "starting puppet") # /usr/sbin/puppetdb-ssl-setup # service puppetmaster start # puppet ca list --all (lists the certs installed) # service puppetdb start # puppet ca list --all (prints error message above with new fingerprint) The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB 1.0.2 and Puppet Dashboard). I realize that the solution is only made more difficult by the inclusion of db and dashboard, but the project scope grew too quickly and resulted in attempts to combine services. I am out of ideas save for re-installing the service; after messing with this install for so long, I doubt many people here will want to support this decision. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/wE0GAv51uooJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
I have the same exact problem over and over and over, so I gave up on Puppet. But maybe you can try resolve this by checking if times are in sync? try ntpdate on master and slave. check date on both machines very quickly to see the time sync On Thursday, November 29, 2012 4:52:42 PM UTC-5, shoerner wrote:> > Hello everyone, > > Just getting my first puppet master set up and I am having a problem that > I just do not know how to get past. For some reason, my certificate store > keeps getting corrupted. Basically what happens is that the server will > issue itself a valid certificate (after removing the ''bad'' cert) and will > run just fine. When I start puppetDB (I am pretty sure it happens around > here) on the system though, running the command ''puppet ca list --all'' on > the PuppetMaster, I get the following: > > Error: The certificate retrieved from the master does not match the > agent''s private key. > Certificate fingerprint: *<fingerprint removed>* > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean puppetmaster.site > On the agent: > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > puppet agent -t > > Error: Try ''puppet help ca list'' for usage > > I have tried following said instructions which did not work at all. > Eventually I was able to build it down to the following steps to regenerate > the certificate store: > # service puppetmaster stop > # service puppetdb stop > # service puppet stop > # find $(puppet master --configprint ssldir) -name "$(puppet master > --configprint certname).pem" -delete > # rm -rf /var/lib/puppet/ssl > # puppet master --no-daemonize --debug --verbose --trace (kill it when it > says "starting puppet") > # /usr/sbin/puppetdb-ssl-setup > # service puppetmaster start > # puppet ca list --all (lists the certs installed) > # service puppetdb start > # puppet ca list --all (prints error message above with new fingerprint) > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > 1.0.2 and Puppet Dashboard). I realize that the solution is only made more > difficult by the inclusion of db and dashboard, but the project scope grew > too quickly and resulted in attempts to combine services. I am out of ideas > save for re-installing the service; after messing with this install for so > long, I doubt many people here will want to support this decision. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/TAiF-VnimOgJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Thu, Nov 29, 2012 at 2:52 PM, shoerner <shawn.hoerner@gmail.com> wrote:> Hello everyone, > > Just getting my first puppet master set up and I am having a problem that > I just do not know how to get past. For some reason, my certificate store > keeps getting corrupted. Basically what happens is that the server will > issue itself a valid certificate (after removing the ''bad'' cert) and will > run just fine. When I start puppetDB (I am pretty sure it happens around > here) on the system though, running the command ''puppet ca list --all'' on > the PuppetMaster, I get the following: > > Error: The certificate retrieved from the master does not match the > agent''s private key. > Certificate fingerprint: *<fingerprint removed>* > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean puppetmaster.site > On the agent: > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > puppet agent -t > > Error: Try ''puppet help ca list'' for usage > > I have tried following said instructions which did not work at all. > Eventually I was able to build it down to the following steps to regenerate > the certificate store: > # service puppetmaster stop > # service puppetdb stop > # service puppet stop > # find $(puppet master --configprint ssldir) -name "$(puppet master > --configprint certname).pem" -delete > # rm -rf /var/lib/puppet/ssl > # puppet master --no-daemonize --debug --verbose --trace (kill it when it > says "starting puppet") > # /usr/sbin/puppetdb-ssl-setup > # service puppetmaster start > # puppet ca list --all (lists the certs installed) > # service puppetdb start > # puppet ca list --all (prints error message above with new fingerprint) > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > 1.0.2 and Puppet Dashboard). I realize that the solution is only made more > difficult by the inclusion of db and dashboard, but the project scope grew > too quickly and resulted in attempts to combine services. I am out of ideas > save for re-installing the service; after messing with this install for so > long, I doubt many people here will want to support this decision. >That''s odd...puppetdb-ssl-setup doesn''t actually modify anything in puppet''s ssl directory, it should only be reading files contained in that directory and importing them into a keystore (in a completely different dir). If that script messed something up, i''d expect the issue to come up the first time you ran "puppet ca list". When you start the PuppetDB daemon, nothing in /var/lib/puppet/ssl is involved...it doesn''t even look at those files. Are the checksums of your certs and puppet config files the same before and after running puppetdb-ssl-setup, and before and after starting the puppetdb daemon? If, instead of using "service start puppet", you use the puppetdb-foreground script, does the problem persist? deepak -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Got a little further by running puppetdb-foreground. Now I can get as far as node certificate generation. Once I start the node certificate generation, I get a new certificate, but then PuppetDB blows up with "javax.net.ssl.SSLException: Received fatal alert: decrypt_error" Immediately after that puppet ca list --all stops working as mentioned at first. On Friday, November 30, 2012 2:30:35 PM UTC-5, Deepak Giridharagopal wrote:> > On Thu, Nov 29, 2012 at 2:52 PM, shoerner <shawn....@gmail.com<javascript:> > > wrote: > >> Hello everyone, >> >> Just getting my first puppet master set up and I am having a problem that >> I just do not know how to get past. For some reason, my certificate store >> keeps getting corrupted. Basically what happens is that the server will >> issue itself a valid certificate (after removing the ''bad'' cert) and will >> run just fine. When I start puppetDB (I am pretty sure it happens around >> here) on the system though, running the command ''puppet ca list --all'' on >> the PuppetMaster, I get the following: >> >> Error: The certificate retrieved from the master does not match the >> agent''s private key. >> Certificate fingerprint: *<fingerprint removed>* >> To fix this, remove the certificate from both the master and the agent >> and then start a puppet run, which will automatically regenerate a >> certficate. >> On the master: >> puppet cert clean puppetmaster.site >> On the agent: >> rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem >> puppet agent -t >> >> Error: Try ''puppet help ca list'' for usage >> >> I have tried following said instructions which did not work at all. >> Eventually I was able to build it down to the following steps to regenerate >> the certificate store: >> # service puppetmaster stop >> # service puppetdb stop >> # service puppet stop >> # find $(puppet master --configprint ssldir) -name "$(puppet master >> --configprint certname).pem" -delete >> # rm -rf /var/lib/puppet/ssl >> # puppet master --no-daemonize --debug --verbose --trace (kill it when >> it says "starting puppet") >> # /usr/sbin/puppetdb-ssl-setup >> # service puppetmaster start >> # puppet ca list --all (lists the certs installed) >> # service puppetdb start >> # puppet ca list --all (prints error message above with new fingerprint) >> >> The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB >> 1.0.2 and Puppet Dashboard). I realize that the solution is only made more >> difficult by the inclusion of db and dashboard, but the project scope grew >> too quickly and resulted in attempts to combine services. I am out of ideas >> save for re-installing the service; after messing with this install for so >> long, I doubt many people here will want to support this decision. >> > > That''s odd...puppetdb-ssl-setup doesn''t actually modify anything in > puppet''s ssl directory, it should only be reading files contained in that > directory and importing them into a keystore (in a completely different > dir). If that script messed something up, i''d expect the issue to come up > the first time you ran "puppet ca list". When you start the PuppetDB > daemon, nothing in /var/lib/puppet/ssl is involved...it doesn''t even look > at those files. > > Are the checksums of your certs and puppet config files the same before > and after running puppetdb-ssl-setup, and before and after starting the > puppetdb daemon? If, instead of using "service start puppet", you use the > puppetdb-foreground script, does the problem persist? > > deepak > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RvJ5ZZ60ksQJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Tried this, both systems are within seconds of each other as best I can tell. Both are also synced to US NTP Pool 1. On Friday, November 30, 2012 2:07:30 PM UTC-5, tas wrote:> > I have the same exact problem over and over and over, so I gave up on > Puppet. > But maybe you can try resolve this by checking if times are in sync? > try ntpdate on master and slave. > check date on both machines very quickly to see the time sync > > On Thursday, November 29, 2012 4:52:42 PM UTC-5, shoerner wrote: >> >> Hello everyone, >> >> Just getting my first puppet master set up and I am having a problem that >> I just do not know how to get past. For some reason, my certificate store >> keeps getting corrupted. Basically what happens is that the server will >> issue itself a valid certificate (after removing the ''bad'' cert) and will >> run just fine. When I start puppetDB (I am pretty sure it happens around >> here) on the system though, running the command ''puppet ca list --all'' on >> the PuppetMaster, I get the following: >> >> Error: The certificate retrieved from the master does not match the >> agent''s private key. >> Certificate fingerprint: *<fingerprint removed>* >> To fix this, remove the certificate from both the master and the agent >> and then start a puppet run, which will automatically regenerate a >> certficate. >> On the master: >> puppet cert clean puppetmaster.site >> On the agent: >> rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem >> puppet agent -t >> >> Error: Try ''puppet help ca list'' for usage >> >> I have tried following said instructions which did not work at all. >> Eventually I was able to build it down to the following steps to regenerate >> the certificate store: >> # service puppetmaster stop >> # service puppetdb stop >> # service puppet stop >> # find $(puppet master --configprint ssldir) -name "$(puppet master >> --configprint certname).pem" -delete >> # rm -rf /var/lib/puppet/ssl >> # puppet master --no-daemonize --debug --verbose --trace (kill it when >> it says "starting puppet") >> # /usr/sbin/puppetdb-ssl-setup >> # service puppetmaster start >> # puppet ca list --all (lists the certs installed) >> # service puppetdb start >> # puppet ca list --all (prints error message above with new fingerprint) >> >> The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB >> 1.0.2 and Puppet Dashboard). I realize that the solution is only made more >> difficult by the inclusion of db and dashboard, but the project scope grew >> too quickly and resulted in attempts to combine services. I am out of ideas >> save for re-installing the service; after messing with this install for so >> long, I doubt many people here will want to support this decision. >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/bQbclsRwEioJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
@tas: Tried this already, both times were within a few seconds of each other as best as I can tell. Additionally, both systems are synced to US NTP Time pool 1. On Friday, November 30, 2012 2:07:30 PM UTC-5, tas wrote:> > I have the same exact problem over and over and over, so I gave up on > Puppet. > But maybe you can try resolve this by checking if times are in sync? > try ntpdate on master and slave. > check date on both machines very quickly to see the time sync > > On Thursday, November 29, 2012 4:52:42 PM UTC-5, shoerner wrote: >> >> Hello everyone, >> >> Just getting my first puppet master set up and I am having a problem that >> I just do not know how to get past. For some reason, my certificate store >> keeps getting corrupted. Basically what happens is that the server will >> issue itself a valid certificate (after removing the ''bad'' cert) and will >> run just fine. When I start puppetDB (I am pretty sure it happens around >> here) on the system though, running the command ''puppet ca list --all'' on >> the PuppetMaster, I get the following: >> >> Error: The certificate retrieved from the master does not match the >> agent''s private key. >> Certificate fingerprint: *<fingerprint removed>* >> To fix this, remove the certificate from both the master and the agent >> and then start a puppet run, which will automatically regenerate a >> certficate. >> On the master: >> puppet cert clean puppetmaster.site >> On the agent: >> rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem >> puppet agent -t >> >> Error: Try ''puppet help ca list'' for usage >> >> I have tried following said instructions which did not work at all. >> Eventually I was able to build it down to the following steps to regenerate >> the certificate store: >> # service puppetmaster stop >> # service puppetdb stop >> # service puppet stop >> # find $(puppet master --configprint ssldir) -name "$(puppet master >> --configprint certname).pem" -delete >> # rm -rf /var/lib/puppet/ssl >> # puppet master --no-daemonize --debug --verbose --trace (kill it when >> it says "starting puppet") >> # /usr/sbin/puppetdb-ssl-setup >> # service puppetmaster start >> # puppet ca list --all (lists the certs installed) >> # service puppetdb start >> # puppet ca list --all (prints error message above with new fingerprint) >> >> The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB >> 1.0.2 and Puppet Dashboard). I realize that the solution is only made more >> difficult by the inclusion of db and dashboard, but the project scope grew >> too quickly and resulted in attempts to combine services. I am out of ideas >> save for re-installing the service; after messing with this install for so >> long, I doubt many people here will want to support this decision. >> >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/5OCEaFO0S0UJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Hello Shawn, Am 29.11.2012 22:52, schrieb shoerner:> Just getting my first puppet master set up and I am having a problem > that I just do not know how to get past. For some reason, my certificate > store keeps getting corrupted. Basically what happens is that the server > will issue itself a valid certificate (after removing the ''bad'' cert) > and will run just fine. When I start puppetDB (I am pretty sure it > happens around here) on the system though, running the command ''puppet > ca list --all'' on the PuppetMaster, I get the following: > > Error: The certificate retrieved from the master does not match the > agent''s private key. > Certificate fingerprint: *<fingerprint removed>* > To fix this, remove the certificate from both the master and the agent > and then start a puppet run, which will automatically regenerate a > certficate. > On the master: > puppet cert clean puppetmaster.site > On the agent: > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > puppet agent -t > > Error: Try ''puppet help ca list'' for usage > > I have tried following said instructions which did not work at all. > Eventually I was able to build it down to the following steps to > regenerate the certificate store: > # service puppetmaster stop > # service puppetdb stop > # service puppet stop > # find $(puppet master --configprint ssldir) -name "$(puppet master > --configprint certname).pem" -delete > # rm -rf /var/lib/puppet/ssl > # puppet master --no-daemonize --debug --verbose --trace (kill it when > it says "starting puppet") > # /usr/sbin/puppetdb-ssl-setup > # service puppetmaster start > # puppet ca list --all (lists the certs installed) > # service puppetdb start > # puppet ca list --all (prints error message above with new fingerprint) > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > 1.0.2 and Puppet Dashboard). I realize that the solution is only made > more difficult by the inclusion of db and dashboard, but the project > scope grew too quickly and resulted in attempts to combine services. I > am out of ideas save for re-installing the service; after messing with > this install for so long, I doubt many people here will want to support > this decision.which command did you used to sign your client certificates? At Puppet 2.7 i was using "puppetca list" and "puppetca sign host.example.net". So i thought that i could use "puppet ca list" and "puppet ca sign host.example.net" at Puppet 3.0.1. But, when the first Puppet client did a "puppet agent --test", the puppet master created a private key for host.example.net at "/var/lib/puppet/ssl/private_keys". So i assume that there is a difference between "puppet ca" and "puppet cert". When i use "puppet cert list" and "puppet cert sign host.example.net", there will be no private key created and the commands "puppet ca list --all" and "puppet cert list --all" are working as expected. Best regards, Dennis
Hey Dennis, You are right - there is a difference. Think I tried the cert list command once and dismissed it when it did not work for ''ca list'' instead. Running the command ''puppet cert list --all'' does indeed work as intended. Thank you! Off to go fix puppetdb now that I have ripped the SSL configurations out of it too many times. On Tuesday, December 4, 2012 10:50:52 AM UTC-5, Dennis Hoppe wrote:> > Hello Shawn, > > Am 29.11.2012 22:52, schrieb shoerner: > > Just getting my first puppet master set up and I am having a problem > > that I just do not know how to get past. For some reason, my certificate > > store keeps getting corrupted. Basically what happens is that the server > > will issue itself a valid certificate (after removing the ''bad'' cert) > > and will run just fine. When I start puppetDB (I am pretty sure it > > happens around here) on the system though, running the command ''puppet > > ca list --all'' on the PuppetMaster, I get the following: > > > > Error: The certificate retrieved from the master does not match the > > agent''s private key. > > Certificate fingerprint: *<fingerprint removed>* > > To fix this, remove the certificate from both the master and the agent > > and then start a puppet run, which will automatically regenerate a > > certficate. > > On the master: > > puppet cert clean puppetmaster.site > > On the agent: > > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > > puppet agent -t > > > > Error: Try ''puppet help ca list'' for usage > > > > I have tried following said instructions which did not work at all. > > Eventually I was able to build it down to the following steps to > > regenerate the certificate store: > > # service puppetmaster stop > > # service puppetdb stop > > # service puppet stop > > # find $(puppet master --configprint ssldir) -name "$(puppet master > > --configprint certname).pem" -delete > > # rm -rf /var/lib/puppet/ssl > > # puppet master --no-daemonize --debug --verbose --trace (kill it when > > it says "starting puppet") > > # /usr/sbin/puppetdb-ssl-setup > > # service puppetmaster start > > # puppet ca list --all (lists the certs installed) > > # service puppetdb start > > # puppet ca list --all (prints error message above with new fingerprint) > > > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > > 1.0.2 and Puppet Dashboard). I realize that the solution is only made > > more difficult by the inclusion of db and dashboard, but the project > > scope grew too quickly and resulted in attempts to combine services. I > > am out of ideas save for re-installing the service; after messing with > > this install for so long, I doubt many people here will want to support > > this decision. > which command did you used to sign your client certificates? > > At Puppet 2.7 i was using "puppetca list" and "puppetca sign > host.example.net". > > So i thought that i could use "puppet ca list" and "puppet ca sign > host.example.net" at Puppet 3.0.1. > > But, when the first Puppet client did a "puppet agent --test", the > puppet master created a private key for host.example.net at > "/var/lib/puppet/ssl/private_keys". > > So i assume that there is a difference between "puppet ca" and "puppet > cert". > > When i use "puppet cert list" and "puppet cert sign host.example.net", > there will be no private key created and the commands "puppet ca list > --all" and "puppet cert list --all" are working as expected. > > Best regards, Dennis > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2GGqlIIhTbcJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.