On Fri, Jan 28, 2011 at 10:11 AM, Douglas Garstang <[email protected]>wrote:
> On Fri, Jan 28, 2011 at 9:59 AM, Jeff McCune <[email protected]> wrote: > >> On Fri, Jan 28, 2011 at 9:44 AM, Douglas Garstang >> <[email protected]> wrote: >> > I'm trying to run both the puppetmaster and client on the same server. >> > Starting the puppetmaster for the first time is fine, I get this: >> > Jan 28 17:40:58 [email protected] puppet-master[27424]: Signed >> > certificate request for prov01.den.xxx.com >> > Jan 28 17:40:58 [email protected] puppet-master[27424]: Removing >> file >> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >> > '/var/lib/puppet/ssl/ca/requests/prov01.den.xxx.com.pem' >> > Jan 28 17:40:58 [email protected] puppet-master[27424]: Removing >> file >> > Puppet::SSL::CertificateRequest prov01.den.xxx.com at >> > '/var/lib/puppet/ssl/certificate_requests/prov01.den.xxx.com.pem' >> > However, when I start the client for the first time, I get this: >> > Jan 28 17:39:12 [email protected] puppet-agent[26404]: Reopening >> log >> > files >> > Jan 28 17:39:13 [email protected] puppet-agent[26404]: Could not >> > request certificate: Retrieved certificate does not match private key; >> > please remove certificate from server and regenerate it with the current >> key >> > If I remove the keys for prov01.den.xxx.com, then the server complains, >> > because it's keys are missing, What do I do? >> > Doug. >> >> It sounds like your master and your agent are using different SSL >> directories. If this is the case, then the master will return the >> certificate already signed for itself rather than issuing a new >> certificate from the CSR the agent is producing. >> >> When running the agent on the same machine as the master, you have two >> choices: >> >> Use the same certificate name for both the master and the agent. In >> this situation the master and agent should share the ssldir setting. >> The agent should not issue a certificate signing request and should >> re-use the certificates generated automatically by the master. >> >> Use a different certificate name for the agent. In this case the >> agent can have it's own ssldir _or_ share the ssldir with the master. >> In either case, the agent will generate a new CSR and the master will >> issue a new certificate since the names do not overlap. >> >> Hope this helps, >> > > Jeff, > > I checked my puppet.conf, and yes, both the client and the server are > sharing the ssl directory. I didn't realise that both took a ssldir setting, > and it's only defined in the [main] section, not the [agent] section. > > Still doesn't work however. I removed the /var/lib/puppet directory > completely, and restarted the puppetmaster. After manually creating some > directories and setting some permissions by hand because the puppetmaster > barfs, it ran fine. > > However, when starting the client, I get: > > Jan 28 18:08:07 [email protected] puppet-agent[1574]: Starting > Puppet client version 2.6.3 > Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not > retrieve catalog from remote server: certificate verify failed > Jan 28 18:08:07 [email protected] puppet-agent[1574]: Not using > cache on failed catalog > Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not > retrieve catalog; skipping run > Jan 28 18:08:07 [email protected] puppet-agent[1574]: Could not > send report: certificate verify failed > > I also tried setting the ssldir to something else for the client. Removed /var/lib/puppet and restarted the puppetmaster. It still starts fine, but again, when starting the client I get: Jan 28 18:21:47 [email protected] puppet-master[5021]: Starting Puppet master version 2.6.3 Jan 28 18:21:55 [email protected] puppet-agent[5079]: Reopening log files Jan 28 18:21:56 [email protected] puppet-agent[5079]: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key I can see that the client put files in the new ssl dir when it was started. Dunno what else to do. Doug. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
