So I've cracked the initial problem and I can deploy an instance and auto configure puppet but I am still missing something, possibly a conceptual misunderstanding on my part.
I spin up an aws instance with : puppet node_aws bootstrap --image ami-e1e8d395 --keyname puppet --login ubuntu --keyfile ~puppet.pem --puppetagent-certname new_certname_1 --region=eu-west-1 --type t1.micro -g webserver --server mypuppetserver.somewhere.com This fails with : notice: Waiting for SSH response ... Done notice: Installing Puppet ... notice: Puppet is now installed on: blahblah.eu-west-1.compute.amazonaws.com notice: No classification method selected notice: Signing certificate ... err: Signing certificate ... Failed err: Signing certificate error: Could not render to pson: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 35:39:B7:DD:19:0E:7A:D6:07:AE:6D:64:FF:2E:92:37 To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean mypuppetserver.somewhere.com On the agent: rm -f /home/lj/.puppet/ssl/certs/mypuppetserver.somewhere.com.pem puppet agent -t However if I sign the certificate by hand on the puppet server : sudo puppetca -s new_certname_1 My client then (eventually) will update via puppet, so things are *almost* working, although the error is misleading. So here are my questions. 1) I obviously want to maintain a secure install so I want to sign the certificates. Should node_aws bootstrap be signing the certificates automatically (as it seems to be attempting to do)? Is it possible to create a certificate before bootstrapping the instance so that there is a certificate ready and waiting for the client? 2) I dont know the ip address or have a fqdn for the instances I am spinning up. I want to put some files on my clients. In fileserver.conf I am using the cert_name to control access e.g. [files] path /etc/puppet/files allow new_certname_1 I was surprised that this worked. Now heres where my conceptual understanding is failing me - since it seems every certname has to be unique (e.g. I cant just create a group controlled by the certificate name) how can I restrict access to the fileserver when provisioning new instances without manually modifying the fileserver.conf? 3) I should also ask - does a client need to be authenticated via its certificate before it will be given access to the fileserver? If so I assume I could then just use * since the certification requirement would reject uncertified clients. Sorry this is possibly a stupid question but it is not clear from the documentation but if so my second question is moot. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/RZS1zkbF7scJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.