FAQ
I'm trying to generate a CA certificate that will be used on multiple
puppet masters, accessed by round robin DNS.

The individual nodes have their own hostnames and the round robin name
is puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin
domain name for Bristol university is historical, and a total pain).

However I'm having trouble with puppet ca as follows:

[jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names
puppet.resnet.bris.ac.uk
Error: puppet ca generate takes 1 argument, but you gave 0
Error: Try 'puppet help ca generate' for usage

[jg4461@puppet-1 ~]$ sudo puppet ca generate
--dns_alt_names=puppet.resnet.bris.ac.uk, puppet.resnet.bristol.ac.uk
Error: The certificate retrieved from the master does not match the
agent's private key.
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
puppet cert clean puppet1.resnet.bris.ac.uk
On the agent:
rm -f /var/lib/puppet/ssl/certs/puppet1.resnet.bris.ac.uk.pem
puppet agent -t

[jg4461@puppet1 ~]$ puppet --version
3.0.1


Am I doing something wrong, or is something broken?

Thanks,
Jonathan

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Jeff McCune at Oct 23, 2012 at 4:14 pm

    On Tue, Oct 23, 2012 at 2:24 AM, Jonathan Gazeley wrote:

    I'm trying to generate a CA certificate that will be used on multiple
    puppet masters, accessed by round robin DNS.

    The individual nodes have their own hostnames and the round robin name is
    puppet.resnet.bris.ac.uk or puppet.resnet.bristol.ac.uk (the twin domain
    name for Bristol university is historical, and a total pain).

    However I'm having trouble with puppet ca as follows:

    [jg4461@puppet1 ~]$ sudo puppet ca generate --dns_alt_names
    puppet.resnet.bris.ac.uk
    Error: puppet ca generate takes 1 argument, but you gave 0
    Error: Try 'puppet help ca generate' for usage
    This command adds "puppet.resnet.bris.ac.uk" to the x.509 alternate names
    field, but Puppet is still expecting the value of the common name. If the
    common name is "foo.resnet.bris.ac.uk" then try the command: sudo puppet ca
    generate --dns_alt_names puppet.resnet.bris.ac.uk foo.resnet.bris.ac.uk.

    [jg4461@puppet-1 ~]$ sudo puppet ca generate --dns_alt_names=
    puppet.resnet.**bris.ac.uk <http://puppet.resnet.bris.ac.uk>,
    puppet.resnet.bristol.ac.uk
    Did you mean to have a space between the comma and the next word here?

    Error: The certificate retrieved from the master does not match the
    agent's private key.
    This error happens when the CSR you're trying to sign already has a signed
    certificate. In this scenario, Puppet does not sign the CSR and instead
    simply returns the already present certificate.

    To fix this, remove the certificate from both the master and the agent and
    then start a puppet run, which will automatically regenerate a certficate.
    On the master:
    puppet cert clean puppet1.resnet.bris.ac.uk
    On the agent:
    rm -f /var/lib/puppet/ssl/certs/**puppet1.resnet.bris.ac.uk.pem
    puppet agent -t

    [jg4461@puppet1 ~]$ puppet --version
    3.0.1


    Am I doing something wrong, or is something broken?
    It doesn't seem like anything is broken beyond the normal difficulties with
    x.509 certificates. It just seems like there's an already existing
    certificate named "puppet1.resnet.bris.ac.uk"

    Hope this helps,
    -Jeff

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedOct 23, '12 at 9:24a
activeOct 23, '12 at 4:14p
posts2
users2
websitepuppetlabs.com

2 users in discussion

Jeff McCune: 1 post Jonathan Gazeley: 1 post

People

Translate

site design / logo © 2022 Grokbase