On Fri, Jan 28, 2011 at 9:59 AM, Jeff McCune <[email protected]> wrote:
> On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang > <[email protected]> wrote: > > I'm trying to run both the puppetmaster and client on the same server. > > Starting the puppetmaster for the first time is fine, I get this: > > Jan 28 17:40:58 [email protected] puppet-master[27424]: Signed > > certificate request for prov01.den.xxx.com > > Jan 28 17:40:58 [email protected] puppet-master[27424]: Removing > file > > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > > '/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem' > > Jan 28 17:40:58 [email protected] puppet-master[27424]: Removing > file > > Puppet::SSL::CertificateRequest prov01.den.xxx.com at > > '/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem' > > However, when I start the client for the first time, I get this: > > Jan 28 17:39:12 [email protected] puppet-agent[26404]: Reopening > log > > files > > Jan 28 17:39:13 [email protected] puppet-agent[26404]: Could not > > request certificate: Retrieved certificate does not match private key; > > please remove certificate from server and regenerate it with the current > key > > If I remove the keys for prov01.den.xxx.com, then the server complains, > > because it's keys are missing, What do I do? > > Doug. > > It sounds like your master and your agent are using different SSL > directories. If this is the case, then the master will return the > certificate already signed for itself rather than issuing a new > certificate from the CSR the agent is producing. > > When running the agent on the same machine as the master, you have two > choices: > > Use the same certificate name for both the master and the agent. In > this situation the master and agent should share the ssldir setting. > The agent should not issue a certificate signing request and should > re-use the certificates generated automatically by the master. > > Use a different certificate name for the agent. In this case the > agent can have it's own ssldir _or_ share the ssldir with the master. > In either case, the agent will generate a new CSR and the master will > issue a new certificate since the names do not overlap. > > Hope this helps, > Jeff, I checked my puppet.conf, and yes, both the client and the server are sharing the ssl directory. I didn't realise that both took a ssldir setting, and it's only defined in the [main] section, not the [agent] section. Still doesn't work however. I removed the /var/lib/puppet directory completely, and restarted the puppetmaster. After manually creating some directories and setting some permissions by hand because the puppetmaster barfs, it ran fine. However, when starting the client, I get: Jan 28 18:08:07 [email protected] puppet-agent[1574]: Starting Puppet client version 2.6.3 Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not retrieve catalog from remote server: certificate verify failed Jan 28 18:08:07 [email protected] puppet-agent[1574]: Not using cache on failed catalog Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not retrieve catalog; skipping run Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not send report: certificate verify failed -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
