>
> I suggest you to remove all the files and directories at
>> /var/lib/puppet/ssl
>> like that:
>> # rm -rf /var/lib/puppet/ssl
>
>
>
> The command I showed in the earlier email should do the same thing:
>
>
> [root@beta:~] #find /var/lib/puppet/ssl -type f -exec rm -f {} \;
>
>
> But just for the sake of argument I did try the exact command you showed:
>
>
> [root@beta:~] #rm -rf /var/lib/puppet/ssl
>
>
>
>> Check again at the puppet master:
>> # puppet cert --all and --list |grep hostname
>
>
> [root@puppet:~] #puppet cert --list --all | grep beta
>
>
> Yup! no client cert here!
>
>
> And even tho I've already verified that there is no cert for this client
> on my puppet server, on the FIRST run of puppet --agent --test
> --waitforcert on that client seems to immediately produce a *cert on the
> client* named after the puppet server!
>
>
> [root@beta:~] #puppet agent --test --waitforcert 60 --server
> puppet.mydomain.cominfo: Creating a new SSL key for puppet.mydomain.com
>
> info: Caching certificate for ca
>
> info: Caching certificate for puppet.mydomain.com
>
> err: Could not request certificate: The certificate retrieved from the
> master does not match the agent's private key.
>
> Certificate fingerprint: BB:F6:61:88:56:AD:CD:63:74:62:3B:BA:1A:B3:BD:CD
>
> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
>
> On the master:
>
> puppet cert clean puppet.mydomain.com
>
> On the agent:
>
> rm -f /var/lib/puppet/ssl/certs/puppet.mydomain.com.pem
>
> puppet agent -t
>
>
> info: Retrieving plugin
>
> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
> using 'eval_generate: The certificate retrieved from the master does not
> match the agent's private key.
>
> Certificate fingerprint: BB:F6:61:88:56:AD:CD:63:74:62:3B:BA:1A:B3:BD:CD
>
> To fix this, remove the certificate from both the master and the agent and
> then start a puppet run, which will automatically regenerate a certficate.
>
> On the master:
>
> puppet cert clean puppet.mydomain.com
>
> On the agent:
>
> rm -f /var/lib/puppet/ssl/certs/puppet.mydomain.com.pem
>
> puppet agent -t
>
>
> err: /File[/var/lib/puppet/lib]: Could not evaluate:
> SSL_CTX_use_PrivateKey:: key values mismatch Could not retrieve file
> metadata for puppet://puppet.mydomain.com/plugins:
> SSL_CTX_use_PrivateKey:: key values mismatch
>
> err: Could not retrieve catalog from remote server:
> SSL_CTX_use_PrivateKey:: key values mismatch
>
> warning: Not using cache on failed catalog
>
> err: Could not retrieve catalog; skipping run
>
> err: Could not send report: SSL_CTX_use_PrivateKey:: key values mismatch
>
>
> It's almost as if the puppet server THINKS that the remote host is named '
> puppet.mydomain.com' instead of 'beta.mydomain.com'. What you see above
> is a FIRST RUN after rm -rf of the /var/lib/puppet/ssl directory.
>
>
>
> And if I check the presence of the certificate file named after the puppet
> server (not the puppet client) it is there on the remote puppet client:
>
>
> [root@beta:~] #ls -l /var/lib/puppet/ssl/certs/puppet.mydomain.com.pem
>
> -rw-r----- 1 puppet puppet 1976 Feb 13 08:02
> /var/lib/puppet/ssl/certs/puppet.mydomain.com.pem
>
>
> Why on earth a certificate named 'puppet.mydomain.com' exists on the
> remote host instead of 'beta.mydomain.com' is what I need to figure out
> and how to correct it.
>
>
> You is using autosign.conf ?
>
>
> Nope! Autosign is turned off.
>
>
> Thanks for your help!
>
>
> Tim
>
>
>
> On Thu, Feb 13, 2014 at 6:13 AM, Rafael Cristaldo <
> raf...@rafaelcristaldo.com.br> wrote:
>
> I suggest you to remove all the files and directories at
> /var/lib/puppet/ssl
>
>
> like that:
>
>
> # rm -rf /var/lib/puppet/ssl
>
>
> Check again at the puppet master:
>
>
> # puppet cert --all and --list |grep hostname
>
>
> You is using autosign.conf ?
>
>
> --
>
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
>
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscr...@googlegroups.com.
>
> To view this discussion on the web visit
> https://groups.google.com/d/msgid/puppet-users/a9ea5f44-e2dd-4c5a-8d8f-087ab04c551c%40googlegroups.com
> .
>
> For more options, visit https://groups.google.com/groups/opt_out.
>
>
>
>
> --
>
> GPG me!!
>
>
> gpg --keyserver pool.sks-keyservers.net --recv-keys F186197B
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/CAOZy0ekn5qBaHTZPFO47rhi_f0_nJrarzX1oRoYJjxxP7ATxqw%40mail.gmail.com.
For more options, visit https://groups.google.com/groups/opt_out.
