On Monday, March 17, 2014 12:59:07 PM UTC+1, nhadie ramos wrote: > > > HI All, > > Im trying vagrant and puppet, i would like to be able to launch an VM on > virtualbox then call puppet for installing packages and configuration. > I would be using this for all developers and loaded on their local > machine's Virtualbox. > > so on vagrant i launch a machine and set hostname to dev.mybox.com > then configure it to connect to my puppetmaster e.g. puppet agent > --server puppetmaster.mybox.com --test --verbose > on my puppet master, i added *.mybox.com on autosign.conf. > > initial vagrant up works since o cert yet on master for dev.mybox.com. > but after i destroy vm and launch again > i see the error: > > err: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: 2B:E9:77:64:B7:B4:98:DD:75:8D:0F:B5:53:ED:3B:46 > To fix this, remove the certificate from both the master and the agent and > then start a puppet run, which will automatically regenerate a certficate. > On the master: > puppet cert clean dev.mybox.com > On the agent: > rm -f /var/lib/puppet/ssl/certs/dev.mybox.com.pem > puppet agent -t > > is there a way to bypass this or set a fix cert so that i can destroy and > launch instance using vagrant without this issue? > any help would be appreciated. thank you. > > Regards, > Nhadie > > The issue is that a cert is already present for that host. Johan's solution looks great to get around this by always reusing the same cert, instead of the VM generating a new one each time. Another approach would be to have the agent delete a cert on the CA, so that the auto-signing works. To do this you have to authorize agents to remove certs by adding the following to the puppet master's auth.conf
51 # Allows nodes to clean up certificates of any node. This is being triggered 52 # at provisioning time in kickstart to remove the old certificate, since a new 53 # one is generated when the system is provisioned. 54 path /certificate_status/ 55 auth any 56 method find, save, destroy 57 allow *.example.com,pe-internal-dashboard The agent would run the following, prior to puppet running PUPPETCA=puppetca.example.com curl -k -X DELETE -H "Accept :pson" https://${PUPPETCA}:8140/production/certificate_status/`hostname -f` http://garretthoneycutt.com/index.php/Puppet#Removing_certs_during_provisioning_process Best regards, -g -- Garrett Honeycutt @learnpuppet Puppet Training with LearnPuppet.com -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/00d617c3-babd-4c49-86f4-f7995987fbbe%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
