Hi,
I'm trying to get signing right and have come up with a weird situation.
Both master and client are running 3.6.2 (rpms from puppetlabs).
client config:
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppet-master
ca_server = puppet-master
report = true
# 2 mins.
runinterval = 120
factpath = /etc/facter/facts.d
pluginsync = true
environment = production
master:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
reports = store
environmentpath = $confdir/environments
factpath = /etc/facter/facts.d
storeconfigs = true
storeconfigs_backend = puppetdb
client generates a cert fine:
Info: Creating a new SSL key for client
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client
Info: Certificate Request fingerprint (SHA256):
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
master gets it:
# puppet ca list
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
and has signed itself:
# puppet ca list --all
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
+ puppet-master (SHA256)
65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
So I sign it:
# puppet ca sign client
Notice: Signed certificate request for client
Notice: Removing file Puppet::SSL::CertificateRequest
client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
"-----BEGIN CERTIFICATE-----\n....cert contents here....
Then the problems start:
# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent's private key.
Certificate fingerprint:
B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
I've double checked my configs against a separate working install
(though that doesn't have puppetdb) and can't see anything obviously
wrong.
I'm not sure where to start looking at this so thanks for any help.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/53B0D829.9000802%40gmail.com.
For more options, visit https://groups.google.com/d/optout.