[ ... ] > Well, that at least narrows it down. The master is not recognizing the > client's certificate-signing request, or is refusing to service it. Does > the master already have a signed certificate for this client (or at least > one bearing the requested certname)? "puppet cert list --all" should tell > you. >
There are no other certificates for this new system. I checked recursively in the ssl directory, just to be sure. > If so, then there are two possibilities: > (1) the master signed the current client's current certificate, but is > refusing to serve up the signed certificate. This seems unlikely to me, > but it cannot be altogether discounted. > Not the case. > (2) the signed certificate does not correspond to the certificate-signing > request currently being presented by the agent (maybe it is an old cert > signed for a different machine with the same name), so the master refuses > to provide it to the agent. > > If (2) applies, then you should revoke then remove the old cert via > "puppet cert", then try again to connect the agent. > > > Alternatively, is there any chance you have multiple copies of the master > installed? (Maybe one via RPM and a separate one via gem?) If that's the > case, then perhaps the master the agent is talking to is different from the > one that comes first in your shell's executable path. That could wreak all > sorts of havoc, including misleading you about the relevant certs and CSRs. > There is only one master running, one agent: 1149 ? S 1:19 Passenger RackApp: /etc/puppet/rack/puppetmasterd 6946 ? Ss 0:03 /usr/local/bin/ruby /usr/local/bin/puppet agent What strikes me as odd is this is a fresh system that was installed; there's nothing particularly special about it, other than it's CentOS 6.x versus CentOS 5.x which are most of the others. It seems one other person posted here who is experiencing similar problems. What I'm willing to do, as a test case, is configure to new VMs and try a proof-of-bug-or-concept with this. The setup will be simple, one master and one agent; the cert request should be accepted and then manually signed. Though, I think my present configuration is simple enough. Thanks. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
