On Thu, Nov 29, 2012 at 2:52 PM, shoerner <[email protected]> wrote:
> Hello everyone, > > Just getting my first puppet master set up and I am having a problem that > I just do not know how to get past. For some reason, my certificate store > keeps getting corrupted. Basically what happens is that the server will > issue itself a valid certificate (after removing the 'bad' cert) and will > run just fine. When I start puppetDB (I am pretty sure it happens around > here) on the system though, running the command 'puppet ca list --all' on > the PuppetMaster, I get the following: > > Error: The certificate retrieved from the master does not match the > agent's private key. > Certificate fingerprint: *<fingerprint removed>* > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean puppetmaster.site > On the agent: > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > puppet agent -t > > Error: Try 'puppet help ca list' for usage > > I have tried following said instructions which did not work at all. > Eventually I was able to build it down to the following steps to regenerate > the certificate store: > # service puppetmaster stop > # service puppetdb stop > # service puppet stop > # find $(puppet master --configprint ssldir) -name "$(puppet master > --configprint certname).pem" -delete > # rm -rf /var/lib/puppet/ssl > # puppet master --no-daemonize --debug --verbose --trace (kill it when it > says "starting puppet") > # /usr/sbin/puppetdb-ssl-setup > # service puppetmaster start > # puppet ca list --all (lists the certs installed) > # service puppetdb start > # puppet ca list --all (prints error message above with new fingerprint) > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > 1.0.2 and Puppet Dashboard). I realize that the solution is only made more > difficult by the inclusion of db and dashboard, but the project scope grew > too quickly and resulted in attempts to combine services. I am out of ideas > save for re-installing the service; after messing with this install for so > long, I doubt many people here will want to support this decision. > That's odd...puppetdb-ssl-setup doesn't actually modify anything in puppet's ssl directory, it should only be reading files contained in that directory and importing them into a keystore (in a completely different dir). If that script messed something up, i'd expect the issue to come up the first time you ran "puppet ca list". When you start the PuppetDB daemon, nothing in /var/lib/puppet/ssl is involved...it doesn't even look at those files. Are the checksums of your certs and puppet config files the same before and after running puppetdb-ssl-setup, and before and after starting the puppetdb daemon? If, instead of using "service start puppet", you use the puppetdb-foreground script, does the problem persist? deepak -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
