FAQ
This seems to be fairly common, and I've tried master clean and client
remove

and even tried removing all master / client ssl files

and restarted the puppetmaster


both client/server are running 2.7.14

I did have master running 2.6.4 the first time I tried and I DID get the
certificates recognized.
I ran into a problem and decided it was best that they were all running the
same version.

but now despite removing ssl/ it is still ignoring me

the client sees:

sudo puppet agent --test server='blah.blah.com'
[sudo] password for crucial:
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

the master sees:

puppet master version 2.7.14
err: Removing mount files: /etc/puppet/files does not exist
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing 'method' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL because none
were found in '/etc/puppet/auth.conf'
info: Inserting default '/status' (auth true) ACL because none were found
in '/etc/puppet/auth.conf'
info: Could not find certificate for 'crucial-systems.com'
info: Could not find certificate for 'crucial-systems.com'
info: Could not find certificate for 'crucial-systems.com'

but there are no certs waiting to be signed:

sudo puppet cert --list

I've tried generating manually on master:

sudo puppet cert generate crucial-systems.com

which interestingly enough says:

notice: crucial-systems.com has a waiting certificate request
notice: Signed certificate request for crucial-systems.com
notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com
at '/var/lib/puppet/ssl/ca/requests/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com
at '/var/lib/puppet/ssl/certificate_requests/crucial-systems.com.pem'

as though there was something waiting there

the client now fails because the certificate does not match

warning: peer certificate won't be verified in this SSL session
info: Caching certificate for crucial-systems.com
err: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: 7F:7C:65:E6:4B:46:92:BC:47:09:6D:60:F5:EE:96:57
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean crucial-systems.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem
puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled

try doing what I'm told and remove the master (the one just generated) and
the local files:

# master
sudo puppet cert clean crucial-systems.com
notice: Revoked certificate with serial 8
notice: Removing file Puppet::SSL::Certificate crucial-systems.com at
'/var/lib/puppet/ssl/ca/signed/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::Certificate crucial-systems.com at
'/var/lib/puppet/ssl/certs/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::Key crucial-systems.com at
'/var/lib/puppet/ssl/private_keys/crucial-systems.com.pem'

# client
sudo rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem

and I'm right back where I started: the master sees the request and just
ignores it, never stores any certificate request

thanks !



--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ODbi_vxj_wIJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Felix at May 22, 2012 at 4:09 pm
    I've gotten it to work by removing the entire /var/lib/puppet/ssl on master
    and all clients.

    It seems quite finicky. more SSL errors now when I try to do any connection

    On Tuesday, May 22, 2012 5:44:35 PM UTC+2, felix wrote:


    and even tried removing all master / client ssl files
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/etfK45cHs6UJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedMay 22, '12 at 3:44p
activeMay 22, '12 at 4:09p
posts2
users1
websitepuppetlabs.com

1 user in discussion

Felix: 2 posts

People

Translate

site design / logo © 2022 Grokbase