Ok, I'm new to puppet, but I've got everything working for my setup.
Almost.
I'm trying to set up a new server, using cobbler, and then puppet.
CentOS 6.2
Puppet 2.7.11
Cobbler 2.0.11
I have things set up so I can use kickstart to install the server on
boot. It installs puppet and facter from the puppetlabs repos and the
snippet $SNIPPET('puppet_install_if_enabled') and
$SNIPPET('puppet_register_if_enabled') is called in the %post section.
I have the puppet server set up to autosign (for now).
When the %post part of the kickstart install is run, I see the machine
connecting to the puppetmaster, and it sets up the credentials:
info: Could not find certificate for 'client.domain.com'
info: Could not find certificate_request for 'client.domain.com'
notice: client.domain.com has a waiting certificate request
notice: Signed certificate request for client.domain.com
notice: Removing file Puppet::SSL::CertificateRequest
client.domain.com at '/var/lib/puppet/ssl/ca/requests/
client.domain.com.pem'
But when I reboot the machine, if I try to run puppetd again manually,
I'm getting a private key error:
puppetd --server puppet.domain.com --test --waitforcert 15
err: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: E5:B1:52:B2:DC:DE:8C:DE:A7:AF:ED:
19:C8:E3:F5:12
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
puppet cert clean client.domain.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/client.domain.com.pem
puppet agent -t
If I do what it says, then puppet gets new certs (I guess that's what
it's doing) and everything works fine.
But I cannot figure out why that is required. What is going wrong?
Shouldn't it be able to come up and work without jumping through these
extra hoops?
Tom
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
