I had this issue as well. To get around it you can pass an extra option:
--certname <NAME>
This way it won't try to use your current host's FQDN as the certname
(which will fail if it's already registered with the CA)
So, e.g.
puppet certificate generate treydock --certname treydock <rest of options>
On Tuesday, March 25, 2014 at 6:58:46 PM UTC-4, treydock wrote:
>
> Following the mcollective documentation [1] for adding clients to execute
> mco commands when using SSL I am getting an error executing the 'puppet
> certificate generate' command as my user account. I feel like I'm missing
> something very obvious here.
>
> $ puppet certificate generate treydock --ssldir
> ~/.mcollective.d/credentials --ca-location remote --ca_server
> puppet.<DOMAIN>
> Error: The certificate retrieved from the master does not match the
> agent's private key.
> Certificate fingerprint:
> E3:EA:FA:AD:68:53:D8:AF:DB:63:C9:2A:89:CC:68:AA:4F:B2:35:F6:9F:8C:E0:3C:3F:56:D5:1F:41:45:0D:53
> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
> On the master:
> puppet cert clean login3.<DOMAIN>
> On the agent:
> rm -f /home/treydock/.mcollective.d/credentials/certs/login3.<DOMAIN>.pem
> puppet agent -t
>
> Error: Try 'puppet help certificate generate' for usage
>
> This happens from all my systems.
>
> The host 'login3' puppet.conf (comments removed):
>
> $ cat /etc/puppet/puppet.conf
> [main]
> logdir = /var/log/puppet
> rundir = /var/run/puppet
> ssldir = $vardir/ssl
> privatekeydir = $ssldir/private_keys { group = service }
> hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
> autosign = $confdir/autosign.conf { mode = 664 }
>
> [agent]
> classfile = $vardir/classes.txt
> localconfig = $vardir/localconfig
> default_schedules = false
>
> report = true
> pluginsync = true
> masterport = 8140
> environment = production
> certname = login3.brazos.tamu.edu
> server = puppet.brazos.tamu.edu
> listen = false
> splay = false
> runinterval = 3600
> noop = true
> show_diff = true
> configtimeout = 120
>
> Thanks
> - Trey
>
> [1] -
> http://docs.puppetlabs.com/mcollective/deploy/standard.html#managing-client-credentials
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/682a6987-c601-41b8-85f0-68847d4c0e64%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
