Jake
The behavior in 2.7 when running the master with
--allow_duplicate_certs set is the same as in 2.6.x in that you can
manually (using something like curl or the new 'puppet certificate'
face) generate multiple certs with same CN name, but the agent errors
the same way regardless of the puppet version.  I've updated ticket
#3360 with more detail.  That ticket is currently closed and should
probably stay that way.

I opened two new tickets, #7109 and #7110, to address the confusion
with how the agent connects to the master when --allow_duplicate_certs
is set.  We should decide what the desired behavior is with an agent,
and improve the error message that comes back.  More detail in both
those tickets.

Thanks for testing out 2.7rc1.
Matt

On Thu, Apr 14, 2011 at 10:52 AM, Jake - USPS <jacob.m.mcc...@usps.gov> wrote:
> Test results posted, you may have posted shortly after I did.  ;)
>
> We are using SLES 10.  I'm not exactly sure what other information you
> want ... here is some of the relevant packages we have installed:
>
> usps-augeas-0.7.4-1.sles10
> usps-ruby-gem-test-unit-2.1.2-1.sles10
> usps-ruby-augeas-0.3.0-1.sles10
> usps-puppet-dashboard-1.1.0.3-1.sles10
> usps-ruby-1.8.7-1.sles10
> usps-ruby-gem-rake-0.8.7-1.sles10
> usps-ruby-gem-rack-1.2.1-1.sles10
> usps-ruby-gem-passenger-3.0.2-1.sles10
> usps-ruby-gem-sys-admin-1.5.4-1.sles10
> usps-ruby-gem-mysql-2.8.1-1.sles10
> usps-rubygems-1.4.1-1.sles10
> usps-facter-1.5.8-1.sles10
> usps-puppetmaster-2.7.0.1-1.sles10
>
> We are running the puppetmaster through passenger, although my tests
> above are running it as your told me.  If you want anything else, just
> let me know.
>
> Thanks for checking this out,
> Jake
>
> On Apr 14, 12:45 pm, Dominic Maraglia <domi...@puppetlabs.com> wrote:
>> Jake,
>>
>> We are investigating additional uses cases for "allow_duplicate_certs"
>> functionality; stay tuned for more information on this topic.
>>
>> In the meantime, we'd be very interested in your test results and a bit
>> of information about your platform would be much appreciated at well.
>>
>> Cheers,
>> Dominic
>>
>> On 4/14/11 10:33 AM, Jake - USPS wrote:
>>
>>
>>
>>
>>
>>
>>
>> > I can give that a try ... does that mean I wouldn't be able to use
>> > passenger like I currently am to get this to work?
>>
>> > I'll let you know of my results shortly.
>>
>> > Regards,
>> > Jake
>>
>> > On Apr 14, 11:35 am, Dominic Maraglia<domi...@puppetlabs.com>  wrote:
>> >> Jake,
>>
>> >> Can you please try the following step and see if these allows you to use
>> >> duplicates certs?
>>
>> >> On your Puppet Master node:
>>
>> >> - Stop the Puppet Master daemon.
>> >> - Restart your Puppet Master as follows:
>> >> puppet master --allow_duplicate_certs --certdnsnames="puppet:$(hostname
>> >> -s):$(hostname -f)" --verbose --noop"
>>
>> >> On a Puppet Agent node:
>>
>> >> - Generate a cert:
>> >> puppet certificate generate `hostname` --ca-location remote --server
>> >> Name_of_Puppet_Master
>>
>> >> - Generate a second cert :
>> >> puppet certificate generate `hostname` --ca-location remote --server
>> >> Name_of_Puppet_Master
>>
>> >> I would quite interested to know the outcome of these step.
>>
>> >> Cheers,
>>
>> >> Dominic Maraglia
>>
>> >> On 4/14/11 7:37 AM, Jake - USPS wrote:
>>
>> >>> I saw this feature became available in 2.7.0rc1 and wanted to try it
>> >>> out.  I entered 'allow_duplicate_certs = true' on both my master and
>> >>> agent systems in the puppet.conf (not sure if its need in both, saw it
>> >>> in genconf for puppetd and puppetmasterd though ...).  I also have
>> >>> autosign.conf configured to allow autosigning for our domain
>> >>> (*.domain.com).  I had my agent register with the master for the first
>> >>> time, works good (always has ;).  Now on my agent I removed the ssl
>> >>> directory.  Do another test run, it generates new certs on the agent
>> >>> system and tries to communicate with the master.  I then receive the
>> >>> following error on the agent:
>> >>> info: /User[puppet]: Provider useradd does not support features
>> >>> manages_aix_lam; not managing attribute ia_load_module
>> >>> info: /File[/etc/puppet/ssl]: Scheduling refresh of (completed_/etc/
>> >>> puppet/ssl)
>> >>> notice: /Whit[completed_/etc/puppet/ssl]: Triggered 'refresh' from 1
>> >>> events
>> >>> info: /File[/etc/puppet/ssl/private]: Scheduling refresh of
>> >>> (completed_/etc/puppet/ssl/private)
>> >>> notice: /Whit[completed_/etc/puppet/ssl/private]: Triggered 'refresh'
>> >>> from 1 events
>> >>> info: /File[/etc/puppet/ssl/certs]: Scheduling refresh of (completed_/
>> >>> etc/puppet/ssl/certs)
>> >>> info: /File[/etc/puppet/ssl/certificate_requests]: Scheduling refresh
>> >>> of (completed_/etc/puppet/ssl/certificate_requests)
>> >>> notice: /Whit[completed_/etc/puppet/ssl/certificate_requests]:
>> >>> Triggered 'refresh' from 1 events
>> >>> info: /File[/etc/puppet/ssl/private_keys]: Scheduling refresh of
>> >>> (completed_/etc/puppet/ssl/private_keys)
>> >>> notice: /Whit[completed_/etc/puppet/ssl/private_keys]: Triggered
>> >>> 'refresh' from 1 events
>> >>> info: /File[/etc/puppet/ssl/public_keys]: Scheduling refresh of
>> >>> (completed_/etc/puppet/ssl/public_keys)
>> >>> notice: /Whit[completed_/etc/puppet/ssl/public_keys]: Triggered
>> >>> 'refresh' from 1 events
>> >>> notice: /Whit[completed_/etc/puppet/ssl/certs]: Triggered 'refresh'
>> >>> from 1 events
>> >>> info: Creating a new SSL key for XXX
>> >>> warning: peer certificate won't be verified in this SSL session
>> >>> info: Caching certificate for ca
>> >>> warning: peer certificate won't be verified in this SSL session
>> >>> info: Caching certificate for XXX
>> >>> err: Could not request certificate: Retrieved certificate does not
>> >>> match private key; please remove certificate from server and
>> >>> regenerate it with the current key
>> >>> Exiting; failed to retrieve certificate and waitforcert is disabled
>> >>> I guess I was expecting for this to work fine when
>> >>> 'allow_duplicate_certs = true'.  Maybe I misconfigured something?
>> >>> Maybe I'm misunderstanding how allow_duplicate_certs behaves?
>> >>> Thanks!
>> >>> Jake
>
> --
> You received this message because you are subscribed to the Google Groups 
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to 
> puppet-users+unsubscr...@googlegroups.com.
> For more options, visit this group at 
> http://groups.google.com/group/puppet-users?hl=en.
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to