I've been banging my head against the wall with this one. Probably a simple fix but I'm not seeing it at the moment.
I have a proof of concept setup in our lab where I have a central Foreman/Puppet server. The Puppet server on the Foreman box has the responsibility of keeping things straight on subordinate "remote servers" that in production will be located in the same data center as the client base they will server. To get the POC remote server set up I manually load the Puppet client software on the host (later it will come pre-loaded on a VM template) and I run the Puppet client manually. That first run is all about the certs and getting the Foreman ENC aware of the host. Adding a couple of config groups the the host and next we run puppet agent -t-test --server=<foreman host fqdn> and all the configuration files get loaded and then things go sideways. The Puppet Master daemon will not run on the host. What I'm seeing in /var/log/messages is as follows: Feb 18 19:48:20 <hostname> puppet-master[32593]: Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key. Feb 18 19:48:20 <hostname>puppet-master[32593]: Certificate fingerprint: BC:0C:19:83:62:F8:A6:AD:ED:85:B7:19:B6:AD:75:FE:36:62:D7:43:C9:5B:76:64:E8:A1:F5:C1:FE:1F:39:21 Feb 18 19:48:20 <hostname>puppet-master[32593]: To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. Feb 18 19:48:20 <hostname> puppet-master[32593]: On the master: Feb 18 19:48:20 <hostname> puppet-master[32593]: puppet cert clean <agent host FQDN> Feb 18 19:48:20 <hostname> puppet-master[32593]: On the agent: Feb 18 19:48:20 <hostname> puppet-master[32593]: 1a. On most platforms: find /var/lib/puppet/ssl -name <agent host FQDN> -delete Feb 18 19:48:20 <hostname>puppet-master[32593]: 1b. On Windows: del "/var/lib/puppet/ssl/<agent host FQDN>.pem" /f Feb 18 19:48:20 <hostname> puppet-master[32593]: 2. puppet agent -t Here is my puppet.conf (sanitized) from my clent system [main] # The Puppet log directory. # The default value is '$vardir/log'. logdir = /var/log/puppet # Where Puppet PID files are kept. # The default value is '$vardir/run'. rundir = /var/run/puppet # Where SSL certificates are kept. # The default value is '$confdir/ssl'. ssldir = $vardir/ssl # Allow services in the 'puppet' group to access key (Foreman + proxy) privatekeydir = $ssldir/private_keys { group = service } hostprivkey = $privatekeydir/$certname.pem { mode = 640 } # Puppet 3.0.x requires this in both [main] and [master] - harmless on agents autosign = $confdir/autosign.conf { mode = 664 } show_diff = false hiera_config = $confdir/hiera.yaml ### Next part of the file is managed by a different template ### ## Module: 'puppet' [agent] # The file in which puppetd stores a list of the classes # associated with the retrieved configuration. Can be loaded in # the separate ``puppet`` executable using the ``--loadclasses`` # option. # The default value is '$statedir/classes.txt'. classfile = $vardir/classes.txt # Where puppetd caches the local configuration. An # extension indicating the cache format is added automatically. # The default value is '$confdir/localconfig'. localconfig = $vardir/localconfig # Disable the default schedules as they cause continual skipped # resources to be displayed in Foreman - only for Puppet >= 3.4 default_schedules = false report = true pluginsync = true masterport = 8140 environment = production certname = <agent host fqdn> server = <puppet host fqdn> listen = false splay = false splaylimit = 1800 runinterval = 1800 noop = false configtimeout = 600 [master] storeconfigs = true storeconfigs_backend = puppetdb autosign = $confdir/autosign.conf { mode = 664 } reports = foreman external_nodes = /etc/puppet/node.rb node_terminus = exec ca = true ssldir = /var/lib/puppet/ssl certname = <agent host FQDN> strict_variables = false environmentpath = /etc/puppet/environments basemodulepath = /etc/puppet/environments/common:/etc/puppet/modules:/usr/share/puppet/modules Just to be clear: <puppet host FQDN> is the central Foreman/Puppet Master's FQDN not the agent FQDN that where a "remote" Puppet master is trying to start. Thoughts? Am I going about this wrong? -- Peter L. Berghold salty.cowd...@gmail.com h <http://blog.berghold.net>ttp://science-fiction.berghold.net -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAArvnv2aEVJ3Zoq06Ose-6SCFNsqjJ9f%3D%3DvZR46%3DFFubJ9K9sg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.