Hi,
I'm trying to get signing right and have come up with a weird situation.
Both master and client are running 3.6.2 (rpms from puppetlabs).
client config:
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppet-master
ca_server = puppet-master
report = true
# 2 mins.
runinterval = 120
factpath = /etc/facter/facts.d
pluginsync = true
environment = production
master:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
reports = store
environmentpath = $confdir/environments
factpath = /etc/facter/facts.d
storeconfigs = true
storeconfigs_backend = puppetdb
client generates a cert fine:
Info: Creating a new SSL key for client
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client
Info: Certificate Request fingerprint (SHA256):
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
master gets it:
# puppet ca list
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
and has signed itself:
# puppet ca list --all
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
+ puppet-master (SHA256)
65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
So I sign it:
# puppet ca sign client
Notice: Signed certificate request for client
Notice: Removing file Puppet::SSL::CertificateRequest
client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
"-----BEGIN CERTIFICATE-----\n....cert contents here....
Then the problems start:
# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent's private key.
Certificate fingerprint:
B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
I've double checked my configs against a separate working install
(though that doesn't have puppetdb) and can't see anything obviously wrong.
I'm not sure where to start looking at this so thanks for any help.
--
Postgresql & php tutorials
http://www.designmagick.com/
--
You received this message because you are subscribed to the Google Groups "Puppet
Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/53B0D829.9000802%40gmail.com.
For more options, visit https://groups.google.com/d/optout.
