I think the certificate fingerprint issue you received is a worry, but might not indicate a problem per se. Lets use openssl instead to get the fingerprint directly:
# openssl x509 -noout -in `puppet master --configprint hostcert` -fingerprint -md5 So if I do the same exercise on my own host I get: https://gist.github.com/kbarber/5592588 Notice how the fingerprints match? At first glance your failing command seems to indicate the certificate in your JKS store is _not_ the same as the certificate being used by Puppet itself, but try the openssl variant I showed you above instead and see how it goes. If they do not match, it would make sense that you are receiving a chain problem. The certificate in your keystore.jks file might not be signed by the CA. Perhaps it is old and left over from another certificate loading attempt? What is weird is that you say you cleared /etc/puppetdb/ssl and re-ran puppetdb-ssl-setup didn't you? This action should be enough to restore the correct key in keystore.jks. ken. On Wed, May 15, 2013 at 11:56 AM, <kl.puppetu...@gmail.com> wrote: > Hi Ken, thanks for your reply, > > > On Tue, May 14, 2013 at 5:08 PM, Ken Barber <k...@puppetlabs.com> wrote: >> Can we walk through your certificates again? Can you give the full >> verbose output of the following? > > I put the complete output here: http://pastebin.com/raw.php?i=iW44kACL . > Hope this helps. > >> I get the feeling your problem is due to the client certificate being >> used to connect is the issue, but I need to see all this data again to >> be clear. > > There do indeed seem to be some problems with the certificate (especially > with the [puppet cert fingerprint] command). This might be the main problem > for puppetdb. The onetime command does work, however, but puppetdb might not > like it. I don't know how to fix this. Other nodes seem to work fine. > > Thanks, > kl > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To post to this group, send email to puppet-users@googlegroups.com. > Visit this group at http://groups.google.com/group/puppet-users?hl=en. > For more options, visit https://groups.google.com/groups/opt_out. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
