On Wednesday, August 8, 2012 10:51:31 AM UTC-5, mfons wrote: > > On client: > [root@xxx ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 5.7 (Tikanga) > [root@xxx ~]# rpm -qa|grep puppet > puppet-2.6.12-1.el5 > > On server: > [root@server ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 5.7 (Tikanga) > [root@server ~]# rpm -qa|grep puppet > puppet-server-2.6.12-1.el5 > puppet-2.6.12-1.el5 > [root@server ~]# > > Puppet agent runs on client every 30 minutes, as usual. > Sometimes, it fails with messages: > Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL key for > xxx.domain.com > Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL > certificate request for xxx.domain.com > Aug 8 17:30:04 xxx puppet-agent[10416]: Certificate Request > fingerprint (md5): 51:BA:28:EA:61:2B:1C:3B:42:64:48:9E:26:0F:28:F9 > Aug 8 17:30:05 xxx puppet-agent[10416]: Could not request > certificate: Error 400 on SERVER: Could not find certificate request > for xxx2.domain.com > > We have autosign configured in puppetmaster, because we need to run > puppet client on nodes totally unattended (we might provision a new or > existing node at anytime) > The problem is that sometimes when a client runs puppetagent, it fails > requesting a certificate that does not own. > For exemple: client xxx.domain.com generates a new certificate, that > request to sign by the puppetmaster and then it fails because it does > not find the request of a certificate for xxx2.domain.com. > > Maybe, next time, when puppetagent runs again, it success, or it fails > again, there is not a rule. > > We have a script on server and client that deletes client certificates > stored in /var/lib/puppet...... that runs every hour. We need this > because we can provision a node with same hostname at anytime and if > there was an old certificate on server with the same name it will > fail. This is because we have autosign set to yes in puppetmaster. > > Those certificate removal scripts sound awfully suspicious. My first guess would be that occasionally the client-side script happens to trigger after the client has created its CSR but before it gets the signed certificate back from the master. I would expect trouble to arise also when clients' certificates are removed from the master before they are removed from the client, so that the client attempts to use a certificate that the master no longer recognizes.
Why do you need to be so aggressive about deleting certificates? Certificates should never need to be deleted from clients except possibly as part of a complete rebuild. Client certificates only need to be deleted from the master when you provision a new machine. The latter should be incorporated into your provisioning process. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/O3rdHJmX8Z4J. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
