Alternately, running the puppetca clean before starting the new client will result in the standard unsigned behavior.
(I do think its pretty broken that trying once with the wrong cert poisons the client - if it is an attack, they can just wipe the client cert again, and if it isn't - eg in your case - then it breaks..) On Tue, Mar 8, 2011 at 8:05 AM, Felix Frank <[email protected] > wrote: > On 03/08/2011 12:00 PM, Patrick Cervicek wrote: > > Is there a way to force the puppetmaster to resign certificates for > > existing certificates when a new CSR for the same hostname arrives? > > > > When we reinstall freshly formatted clients with puppet (with the same > > hostname) the puppet client complains: > > > > err: Could not request certificate: Retrieved certificate does not > match > > private key; please remove certificate from server and regenerate it > with > > the current key > > > > As workaround we need to delete the $ssldir on the client, delete the > > certificate on the server "puppetca --clean client-hostname.fqdn" and > > restart puppet > > > > Used versions: > > puppetmaster 0.25.4-2~bpo50+1 > > puppet 2.6.2-4 > > It's not a good Idea to have an old master and newer clients, far as I > know. > > Automating the revocation of an old certificate is a Bad Idea. Anyone > could blast all your certificates if they have connectivity to you master. > > You may want to try and outfit your newly formatted clients with the > original certs and keys. Would that be possibly in your scenario? > > HTH, > Felix > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to [email protected]. > To unsubscribe from this group, send email to > [email protected]. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
