Hi, I'm trying to get signing right and have come up with a weird situation. Both master and client are running 3.6.2 (rpms from puppetlabs). client config: [main] vardir = /var/lib/puppet logdir = /var/log/puppet rundir = /var/run/puppet ssldir = /var/lib/puppet/ssl classfile = $vardir/classes.txt localconfig = $vardir/localconfig server = puppet-master ca_server = puppet-master report = true # 2 mins. runinterval = 120 factpath = /etc/facter/facts.d pluginsync = true environment = production master: [main] logdir = /var/log/puppet rundir = /var/run/puppet ssldir = $vardir/ssl reports = store environmentpath = $confdir/environments factpath = /etc/facter/facts.d storeconfigs = true storeconfigs_backend = puppetdb client generates a cert fine: Info: Creating a new SSL key for client Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for client Info: Certificate Request fingerprint (SHA256): D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50 master gets it: # puppet ca list client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50 and has signed itself: # puppet ca list --all client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50 + puppet-master (SHA256) 65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9 So I sign it: # puppet ca sign client Notice: Signed certificate request for client Notice: Removing file Puppet::SSL::CertificateRequest client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem' "-----BEGIN CERTIFICATE-----\n....cert contents here.... Then the problems start: # puppet ca list --all Error: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. I've double checked my configs against a separate working install (though that doesn't have puppetdb) and can't see anything obviously wrong. I'm not sure where to start looking at this so thanks for any help. -- Postgresql & php tutorials http://www.designmagick.com/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/53B0D829.9000802%40gmail.com. For more options, visit https://groups.google.com/d/optout.