Issue #19680 has been updated by Charlie Sharpsteen.
Target version deleted (3.1.0)
Keywords changed from puppet ca cert certificate private key mismatch to ca
cert certificate private_key mismatch
Re-produced using current HEAD version of Puppet.
Spin up two VMs, on the puppetmaster after boot `puppet ca list --all` is
behaving:
<pre>
[root@puppetmaster ~]# puppet ca list --all
+ puppetmaster.boxnet (SHA256)
6B:C7:4F:2F:03:64:73:64:53:D2:E6:45:F1:54:F2:73:53:5B:96:05:6B:1B:4B:A8:1C:DA:8A:51:3B:7F:D0:6E
</pre>
Generate cert request on the agent:
<pre>
[root@puppetagent ~]# puppet agent -t --server=puppetmaster.boxnet
Info: Creating a new SSL key for puppetagent.boxnet
Info: Caching certificate for ca
Info: Creating a new SSL certificate request for puppetagent.boxnet
Info: Certificate Request fingerprint (SHA256):
02:18:6A:6E:E6:2D:FF:1B:9F:6B:22:7C:1C:1D:84:2C:16:66:1E:34:52:8F:EB:58:AC:55:90:D9:04:1C:B8:8A
Exiting; no certificate found and waitforcert is disabled
</pre>
Everything still ok on the master:
<pre>
[root@puppetmaster ~]# puppet ca list --all
puppetagent.boxnet (SHA256)
02:18:6A:6E:E6:2D:FF:1B:9F:6B:22:7C:1C:1D:84:2C:16:66:1E:34:52:8F:EB:58:AC:55:90:D9:04:1C:B8:8A
+ puppetmaster.boxnet (SHA256)
6B:C7:4F:2F:03:64:73:64:53:D2:E6:45:F1:54:F2:73:53:5B:96:05:6B:1B:4B:A8:1C:DA:8A:51:3B:7F:D0:6E
</pre>
Sign the request, everything not ok:
<pre>
[root@puppetmaster ~]# puppet cert sign puppetagent.boxnet
Notice: Signed certificate request for puppetagent.boxnet
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.boxnet at
'/var/lib/puppet/ssl/ca/requests/puppetagent.boxnet.pem'
[root@puppetmaster ~]# puppet ca list --all
Error: The certificate retrieved from the master does not match the agent's
private key.
Certificate fingerprint:
B1:00:2F:8D:2F:EF:0E:33:AF:CA:71:34:37:D6:C8:5D:DE:72:AE:B2:F9:86:F1:99:17:F7:34:B9:88:13:F0:FC
To fix this, remove the certificate from both the master and the agent and then
start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean puppetmaster.boxnet
On the agent:
rm -f /var/lib/puppet/ssl/certs/puppetmaster.boxnet.pem
puppet agent -t
Error: Try 'puppet help ca list' for usage
</pre>
As reported, `puppet cert list --all` still works:
<pre>
[root@puppetmaster signed]# puppet cert list --all
+ "puppetagent.boxnet" (SHA256)
B1:00:2F:8D:2F:EF:0E:33:AF:CA:71:34:37:D6:C8:5D:DE:72:AE:B2:F9:86:F1:99:17:F7:34:B9:88:13:F0:FC
+ "puppetmaster.boxnet" (SHA256)
6B:C7:4F:2F:03:64:73:64:53:D2:E6:45:F1:54:F2:73:53:5B:96:05:6B:1B:4B:A8:1C:DA:8A:51:3B:7F:D0:6E
(alt names: "DNS:puppet", "DNS:puppet.box
net", "DNS:puppetmaster.boxnet")
</pre>
----------------------------------------
Bug #19680: puppet ca list --all fails with "Error: The certificate retrieved
from the master does not match the agent's private key."
https://projects.puppetlabs.com/issues/19680#change-86873
Author: Deven Phillips
Status: Investigating
Priority: Normal
Assignee: Andrew Parker
Category: SSL
Target version:
Affected Puppet version: 3.1.0
Keywords: ca cert certificate private_key mismatch
Branch:
On my puppetmaster server (using Apache, PhusionPassenger, puppet 3.1.0-1 on
Debian Squeeze), attempting to run "puppet ca list --all" fails with:
Error: The certificate retrieved from the master does not match the agent's
private key.
Certificate fingerprint: [[REDACTED]]
To fix this, remove the certificate from both the master and the agent and
then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean [[REDACTED]]
On the agent:
rm -f /etc/puppet/ssl/certs/[[REDACTED]].pem
puppet agent -t
Error: Try 'puppet help ca list' for usage
I have used "openssl x509 -in /path/to/cert.pem -fingerprint -md5 -nooout" to
check the fingerprints on all certs and they DO match.
Additionally, running "puppet cert list --all" works without issue.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
For more options, visit https://groups.google.com/groups/opt_out.
