Hey Dennis, You are right - there is a difference. Think I tried the cert list command once and dismissed it when it did not work for 'ca list' instead.
Running the command 'puppet cert list --all' does indeed work as intended. Thank you! Off to go fix puppetdb now that I have ripped the SSL configurations out of it too many times. On Tuesday, December 4, 2012 10:50:52 AM UTC-5, Dennis Hoppe wrote: > > Hello Shawn, > > Am 29.11.2012 22:52, schrieb shoerner: > > Just getting my first puppet master set up and I am having a problem > > that I just do not know how to get past. For some reason, my certificate > > store keeps getting corrupted. Basically what happens is that the server > > will issue itself a valid certificate (after removing the 'bad' cert) > > and will run just fine. When I start puppetDB (I am pretty sure it > > happens around here) on the system though, running the command 'puppet > > ca list --all' on the PuppetMaster, I get the following: > > > > Error: The certificate retrieved from the master does not match the > > agent's private key. > > Certificate fingerprint: *<fingerprint removed>* > > To fix this, remove the certificate from both the master and the agent > > and then start a puppet run, which will automatically regenerate a > > certficate. > > On the master: > > puppet cert clean puppetmaster.site > > On the agent: > > rm -f /var/lib/puppet/ssl/certs/puppetmaster.site.pem > > puppet agent -t > > > > Error: Try 'puppet help ca list' for usage > > > > I have tried following said instructions which did not work at all. > > Eventually I was able to build it down to the following steps to > > regenerate the certificate store: > > # service puppetmaster stop > > # service puppetdb stop > > # service puppet stop > > # find $(puppet master --configprint ssldir) -name "$(puppet master > > --configprint certname).pem" -delete > > # rm -rf /var/lib/puppet/ssl > > # puppet master --no-daemonize --debug --verbose --trace (kill it when > > it says "starting puppet") > > # /usr/sbin/puppetdb-ssl-setup > > # service puppetmaster start > > # puppet ca list --all (lists the certs installed) > > # service puppetdb start > > # puppet ca list --all (prints error message above with new fingerprint) > > > > The master is running Fedora 16 with Puppet 3.0.1 (along with PuppetDB > > 1.0.2 and Puppet Dashboard). I realize that the solution is only made > > more difficult by the inclusion of db and dashboard, but the project > > scope grew too quickly and resulted in attempts to combine services. I > > am out of ideas save for re-installing the service; after messing with > > this install for so long, I doubt many people here will want to support > > this decision. > which command did you used to sign your client certificates? > > At Puppet 2.7 i was using "puppetca list" and "puppetca sign > host.example.net". > > So i thought that i could use "puppet ca list" and "puppet ca sign > host.example.net" at Puppet 3.0.1. > > But, when the first Puppet client did a "puppet agent --test", the > puppet master created a private key for host.example.net at > "/var/lib/puppet/ssl/private_keys". > > So i assume that there is a difference between "puppet ca" and "puppet > cert". > > When i use "puppet cert list" and "puppet cert sign host.example.net", > there will be no private key created and the commands "puppet ca list > --all" and "puppet cert list --all" are working as expected. > > Best regards, Dennis > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/2GGqlIIhTbcJ. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
