On Monday, May 5, 2014 10:25:50 AM UTC-5, Felix.Frank wrote: > > Ah, so you're running the master from an unprivileged user. That makes a > lot of sense now. > >
Maybe. It is normal to run the *master* as an unprivileged user. The master does not store anything in its home directory in that case, unless its home directory is set to something like /var/lib/puppet. Or am I stuck in the past? It is *ab*normal to run the agent as an unprivileged user, because that prevents the agent from applying most of the kinds of system changes that Puppet is typically wanted for. It is perhaps more common to run 'puppet apply' as a normal user, but the same limitations apply. Under these circumstances, however, it is my understanding that agent or apply will use $HOME/.puppet. > And yes, this is most disturbing. > > Would it be feasible to renew all your certificates? Because the current > state looks messed up beyond reason :-) > > Again, maybe. If the agents have in the past run successfully as root (as is more usual), then they will have certificates signed by the master and living in Puppet's normal system directory. If one then tries to run the agent on one or more of those machines, however, then just such a problem as is reported might arise. Specifically, when running as an ordinary user, the agent cannot use the certificate that puppet-as-root uses, because it cannot access the corresponding private key. Instead, it creates its own key pair, and issues a certificate request to the master based on that public key. The master, on the other hand, already has a signed certificate for the node, which it returns to the agent (this is a feature). That certificate is indeed not based on the same key pair as the cert request, so the agent would emit exactly the message described. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/fdb1c58d-9003-45d2-b742-a096339d8af6%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
