On Wednesday, July 17, 2013 6:00:49 PM UTC+3, jcbollinger wrote: > > > On Tuesday, July 16, 2013 4:32:35 PM UTC-5, Forrie wrote: >> >> We are not configured to auto-sign certificates. >> >> Clearly, the client is making a connection to the master: >> >> >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> 10.101.0.10 - - [16/Jul/2013:17:23:46 -0400] "GET /production/certificate/ >> de-prod-archive.ourdomain.com? HTTP/1.1" 404 62 "-" "-" >> >> Correct, our Master is upgraded to the latest Puppet 3.2.3, as is this >> particular agent. I've tried starting clean/fresh on the agent (removing >> /var/lib/puppet) and that has no effect. The older clients are working >> just fine. >> >> puppet cert list, continues to not see the inbound request from this >> particular agent. >> > > > Well, that at least narrows it down. The master is not recognizing the > client's certificate-signing request, or is refusing to service it. Does > the master already have a signed certificate for this client (or at least > one bearing the requested certname)? "puppet cert list --all" should tell > you. > > If so, then there are two possibilities: > (1) the master signed the current client's current certificate, but is > refusing to serve up the signed certificate. This seems unlikely to me, > but it cannot be altogether discounted. > (2) the signed certificate does not correspond to the certificate-signing > request currently being presented by the agent (maybe it is an old cert > signed for a different machine with the same name), so the master refuses > to provide it to the agent. > > If (2) applies, then you should revoke then remove the old cert via > "puppet cert", then try again to connect the agent. > > Alternatively, is there any chance you have multiple copies of the master > installed? (Maybe one via RPM and a separate one via gem?) If that's the > case, then perhaps the master the agent is talking to is different from the > one that comes first in your shell's executable path. That could wreak all > sorts of havoc, including misleading you about the relevant certs and CSRs. > > > John > > How do I verify if multiple copies are installed? I'm using Foreman to manage the puppet master on the same host, but I don't think it has caused any issues. I don't think #1 above is what happened to me - I've tried with a completely new client. I must emphasize that apart from the CA's certificate, I'm not seeing anything under 'puppet cert --list --all'. Is there any debug flag I can enable to provide debug output on the master for the signing process?
Y. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
