On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote: > > We are not configured to auto-sign certificates. > > Clearly, the client is making a connection to the master: > > > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ > de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" > > Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this > particular agent. I've tried starting clean/fresh on the agent (removing > /var/lib/puppet) and that has no effect. The older clients are working > just fine. > > puppet cert list, continues to not see the inbound request from this > particular agent. >
Well, that at least narrows it down. The master is not recognizing the client's certificate-signing request, or is refusing to service it. Does the master already have a signed certificate for this client (or at least one bearing the requested certname)? "puppet cert list --all" should tell you. If so, then there are two possibilities: (1) the master signed the current client's current certificate, but is refusing to serve up the signed certificate. This seems unlikely to me, but it cannot be altogether discounted. (2) the signed certificate does not correspond to the certificate-signing request currently being presented by the agent (maybe it is an old cert signed for a different machine with the same name), so the master refuses to provide it to the agent. If (2) applies, then you should revoke then remove the old cert via "puppet cert", then try again to connect the agent. Alternatively, is there any chance you have multiple copies of the master installed? (Maybe one via RPM and a separate one via gem?) If that's the case, then perhaps the master the agent is talking to is different from the one that comes first in your shell's executable path. That could wreak all sorts of havoc, including misleading you about the relevant certs and CSRs. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
