On Tuesday, June 12, 2012 1:53:55 PM UTC-5, Scott Merrill wrote:
I built a test client, and from the top-level Puppet Master I ran
`puppet cert generate test.domain`. I installed the generated files
onto the test machine. However, this test client is unable to connect
to any of the subordinate Masters. I get the following error:

Could not prepare for execution: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: CD:2C:44:54:40:B3:8A:A1:30:73:49:95:95:12:CD:54
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a

The agent should expect to retrieve a certificate that matches its own
private key only as part of a certificate signing transaction. The error
therefore suggests that the agent does not recognize that it already has a
certificate, so that it issues a new CSR to the master. If the master
already had a signed certificate for the client, however, then it would
return that certificate instead of signing the new one (this prevents rogue
nodes from hijacking existing nodes' configuration). The existing
certificate would not match the private key of the client's newly-generated

[...] There error isn't a Puppet client
problem, because I get the same error when I run `openssl s_client
-connect hostX.domain:8140 -status`.

Surely openssl does not generate an *identical* message, because the one
you reported earlier contains puppet-specific bits. Do you mean that
openssl's message matches some part in the middle?

You could try adding a "-cert" argument pointing specifically to the client
certificate you installed. If that made the handshake succeed then it
would strongly suggest that your problem is related to how or where the
client cert is installed.

You could try adding a "-debug" argument. You'll get a lot of low-level
stuff you probably don't need, but you should also get enough information
to trace the SSL protocol steps being performed. That should show, I
think, whether the client is indeed issuing a new CSR to the server.

You could check the logs on the subordinate and top-level masters. One or
both should have something to say about the transaction.


You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/jlJkoEoHhCkJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

Discussion Posts


Follow ups

Related Discussions

Discussion Navigation
viewthread | post
posts ‹ prev | 4 of 16 | next ›
Discussion Overview
grouppuppet-users @
postedJun 12, '12 at 6:54p
activeJun 15, '12 at 2:44a



site design / logo © 2022 Grokbase