Jake,
Can you please try the following step and see if these allows you to use
duplicates certs?
On your Puppet Master node:
- Stop the Puppet Master daemon.
- Restart your Puppet Master as follows:
puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname
-s):$(hostname -f)" --verbose --noop"
On a Puppet Agent node:
- Generate a cert:
puppet certificate generate `hostname` --ca-location remote --server
Name_of_Puppet_Master
- Generate a second cert :
puppet certificate generate `hostname` --ca-location remote --server
Name_of_Puppet_Master
I would quite interested to know the outcome of these step.
Cheers,
Dominic Maraglia
On 4/14/11 7:37 AM, Jake - USPS wrote:
I saw this feature became available in 2.7.0rc1 and wanted to try it
out. I entered 'allow_duplicate_certs = true' on both my master and
agent systems in the puppet.conf (not sure if its need in both, saw it
in genconf for puppetd and puppetmasterd though ...). I also have
autosign.conf configured to allow autosigning for our domain
(*.domain.com). I had my agent register with the master for the first
time, works good (always has ;). Now on my agent I removed the ssl
directory. Do another test run, it generates new certs on the agent
system and tries to communicate with the master. I then receive the
following error on the agent:
info: /User[puppet]: Provider useradd does not support features
manages_aix_lam; not managing attribute ia_load_module
info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/
puppet/ssl)
notice: /Whit[completed_/etc/puppet/ssl]: Triggered 'refresh' from 1
events
info: /File[/etc/puppet/ssl/private]: Scheduling refresh of
(completed_/etc/puppet/ssl/private)
notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered 'refresh'
from 1 events
info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/
etc/puppet/ssl/certs)
info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh
of (completed_/etc/puppet/ssl/certificate_requests)
notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]:
Triggered 'refresh' from 1 events
info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of
(completed_/etc/puppet/ssl/private_keys)
notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered
'refresh' from 1 events
info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of
(completed_/etc/puppet/ssl/public_keys)
notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered
'refresh' from 1 events
notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered 'refresh'
from 1 events
info: Creating a new SSL key for XXX
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for ca
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for XXX
err: Could not request certificate: Retrieved certificate does not
match private key; please remove certificate from server and
regenerate it with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled
I guess I was expecting for this to work fine when
'allow_duplicate_certs = true'. Maybe I misconfigured something?
Maybe I'm misunderstanding how allow_duplicate_certs behaves?
Thanks!
Jake
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.