> What does this mean ? > > Warning: /etc/puppetdb/ssl/private.pem does not match the file used by > Puppet (/var/lib/puppet/ssl/private_keys/puppettest.eng.com.pem) > Warning: /etc/puppetdb/ssl/public.pem does not match the file used by Puppet > (/var/lib/puppet/ssl/certs/puppettest.eng.com.pem) > > Both should match ?
So basically yes, they should match - puppetdb-ssl-setup uses the certificates from the agent/master more for simplicity sake, but whatever cert you choose to use - it must be signed by the same CA that the client's certificate (in this case the puppet master) was signed with. In this case I can only presume that it was using old certificates that were signed by an old CA certificate - and since you had mentioned you have renewed something in your certificates dir that caused an issue. Its just hard to articulate to users that they must run 'puppetdb-ssl-setup' when this happens (although we do document it here: http://docs.puppetlabs.com/puppetdb/latest/maintain_and_tune.html#redo-ssl-setup-after-changing-certificates). In the future we are hoping that we can just point the configuration in jetty.ini directly at the Puppet certs without this need for copying certs, but currently the directories and private key in particular are locked down ... this can be fixed with a change to puppet.conf, but its something I'm wary of doing with 'puppetdb-ssl-setup' since that file might be managed by something else ... and clobbering other files like that is impolite. We are going to revisit the issue in the future since its such a PITA for people (and for me also), but ideas welcome :-). ken. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.