This sounds like a risky process to me. Wiping out your certs sounds like a hammer.
Not sure how you are provisioning your nodes but even ssh call to the master during the provisioning to remove the cert (if it exists) would be preferable. Maybe you could look at alternatives, like generating a uuid for your cert names and then removing those hosts that haven't checked in after a determined period (using puppet cert --clean). Check google for more info (I'm currently in transit). Cheers, Den On 09/08/2012, at 1:51, mfons <maf...@gmail.com> wrote: > On client: > [root@xxx ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 5.7 (Tikanga) > [root@xxx ~]# rpm -qa|grep puppet > puppet-2.6.12-1.el5 > > On server: > [root@server ~]# cat /etc/redhat-release > Red Hat Enterprise Linux Server release 5.7 (Tikanga) > [root@server ~]# rpm -qa|grep puppet > puppet-server-2.6.12-1.el5 > puppet-2.6.12-1.el5 > [root@server ~]# > > Puppet agent runs on client every 30 minutes, as usual. > Sometimes, it fails with messages: > Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL key for > xxx.domain.com > Aug 8 17:30:04 xxx puppet-agent[10416]: Creating a new SSL > certificate request for xxx.domain.com > Aug 8 17:30:04 xxx puppet-agent[10416]: Certificate Request > fingerprint (md5): 51:BA:28:EA:61:2B:1C:3B:42:64:48:9E:26:0F:28:F9 > Aug 8 17:30:05 xxx puppet-agent[10416]: Could not request > certificate: Error 400 on SERVER: Could not find certificate request > for xxx2.domain.com > > We have autosign configured in puppetmaster, because we need to run > puppet client on nodes totally unattended (we might provision a new or > existing node at anytime) > The problem is that sometimes when a client runs puppetagent, it fails > requesting a certificate that does not own. > For exemple: client xxx.domain.com generates a new certificate, that > request to sign by the puppetmaster and then it fails because it does > not find the request of a certificate for xxx2.domain.com. > > Maybe, next time, when puppetagent runs again, it success, or it fails > again, there is not a rule. > > We have a script on server and client that deletes client certificates > stored in /var/lib/puppet...... that runs every hour. We need this > because we can provision a node with same hostname at anytime and if > there was an old certificate on server with the same name it will > fail. This is because we have autosign set to yes in puppetmaster. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
