Issue #7109 has been updated by Nigel Kersten. Status changed from Needs Decision to Accepted Assignee changed from Nigel Kersten to Matt Robinson
I'm assuming we're talking about situations only where allow_duplicate_certs is on. If so, then we should fix the agent to allow this behavior. Does that answer it sufficiently Matt? ---------------------------------------- Bug #7109: Agent retrieving a cert with an already used certname gets error https://projects.puppetlabs.com/issues/7109 Author: Matt Robinson Status: Accepted Priority: Normal Assignee: Matt Robinson Category: Target version: Affected Puppet version: Keywords: Branch: If agent 'foo' already has already received a signed cert back from the Puppet CA, and then a second agent asks for a cert with the certname 'foo' you get the following: /Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:166:in `certificate' /Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:227:in `wait_for_cert' /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:194:in `setup_host' /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:259:in `setup' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:420:in `hook' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:411:in `exit_on_fail' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/sbin/puppetd:4 err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key However, if you manually generate certificate request using either the new face 'puppet certificate generate `hostname` --ca-location remote --server Name_of_Puppet_Master' or curl (haven't actually tested with curl, but it's basically the same as the face), you're allowed to make a new CSR with the same name as a cert that's already signed. The question here seems to be, should the agent be fixed to allow this kind of behavior since it's possible with more manual means? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
