This seems to be fairly common, and I've tried master clean and client remove
and even tried removing all master / client ssl files and restarted the puppetmaster both client/server are running 2.7.14 I did have master running 2.6.4 the first time I tried and I DID get the certificates recognized. I ran into a problem and decided it was best that they were all running the same version. but now despite removing ssl/ it is still ignoring me the client sees: sudo puppet agent --test server='blah.blah.com' [sudo] password for crucial: warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled the master sees: puppet master version 2.7.14 err: Removing mount files: /etc/puppet/files does not exist info: access[^/catalog/([^/]+)$]: allowing 'method' find info: access[^/catalog/([^/]+)$]: allowing $1 access info: access[/certificate_revocation_list/ca]: allowing 'method' find info: access[/certificate_revocation_list/ca]: allowing * access info: access[/report]: allowing 'method' save info: access[/report]: allowing * access info: access[/file]: allowing * access info: access[/certificate/ca]: adding authentication no info: access[/certificate/ca]: allowing 'method' find info: access[/certificate/ca]: allowing * access info: access[/certificate/]: adding authentication no info: access[/certificate/]: allowing 'method' find info: access[/certificate/]: allowing * access info: access[/certificate_request]: adding authentication no info: access[/certificate_request]: allowing 'method' find info: access[/certificate_request]: allowing 'method' save info: access[/certificate_request]: allowing * access info: access[/]: adding authentication any info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL because none were found in '/etc/puppet/auth.conf' info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf' info: Could not find certificate for 'crucial-systems.com' info: Could not find certificate for 'crucial-systems.com' info: Could not find certificate for 'crucial-systems.com' but there are no certs waiting to be signed: sudo puppet cert --list I've tried generating manually on master: sudo puppet cert generate crucial-systems.com which interestingly enough says: notice: crucial-systems.com has a waiting certificate request notice: Signed certificate request for crucial-systems.com notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at '/var/lib/puppet/ssl/ca/requests/crucial-systems.com.pem' notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at '/var/lib/puppet/ssl/certificate_requests/crucial-systems.com.pem' as though there was something waiting there the client now fails because the certificate does not match warning: peer certificate won't be verified in this SSL session info: Caching certificate for crucial-systems.com err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 7F:7C:65:E6:4B:46:92:BC:47:09:6D:60:F5:EE:96:57 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean crucial-systems.com On the agent: rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem puppet agent -t Exiting; failed to retrieve certificate and waitforcert is disabled try doing what I'm told and remove the master (the one just generated) and the local files: # master sudo puppet cert clean crucial-systems.com notice: Revoked certificate with serial 8 notice: Removing file Puppet::SSL::Certificate crucial-systems.com at '/var/lib/puppet/ssl/ca/signed/crucial-systems.com.pem' notice: Removing file Puppet::SSL::Certificate crucial-systems.com at '/var/lib/puppet/ssl/certs/crucial-systems.com.pem' notice: Removing file Puppet::SSL::Key crucial-systems.com at '/var/lib/puppet/ssl/private_keys/crucial-systems.com.pem' # client sudo rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem and I'm right back where I started: the master sees the request and just ignores it, never stores any certificate request thanks ! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ODbi_vxj_wIJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
