I recently had a similar issue, but not on windows. To fix, I replaced the 
puppet root ca with a sha256 cert instead of the older sha1.
This or course meant re-signing *all* the client certs, which for me was 
about 4 hours worth of logging into every computer. My cut'n'paste fu is 
strong now ....

Replacing the puppet ca with the newer one fixed the errors tho. Sorry I 
dont have an easier fix for you :(

Andrew.

On Friday, 7 October 2016 17:33:23 UTC+10, Fredrik Nilsson wrote:

> Hi Guys,
>
> Hopefully one of you have a splendid idea on how to solve this...
>
> The problem is that I'm getting this error message a lot (to much is more 
> like it):
>
>
> *Error: Could not request certificate: The certificate retrieved from the 
> master does not match the agent's private key.Certificate fingerprint: 
> FINGERPRINT*
>
>
>
>
>
>
>
> *To fix this, remove the certificate from both the master and the agent 
> and then start a puppet run, which will automatically regenerate a 
> certficate.On the master:  puppet cert clean SERVERNAMEOn the agent:  1a. 
> On most platforms: find C:/ProgramData/PuppetLabs/puppet/etc/ssl -name 
> SERVERNAME.pem -delete  1b. On Windows: del 
> "C:/ProgramData/PuppetLabs/puppet/etc/ssl/SERVERNAME" /f  2. puppet agent 
> -t*
>
> Some characteristics:
> This is on newly provisioned hosts (provisioned from Foreman)
> The machinses is running Windows Server of different flavours
> Puppet Agent version is 3.8.7 (upgrade to a 4 release is in the pipe)
> We have two VmWare clusters and this occurs on both (the checkbox for time 
> sync with hardware host is NOT checked)
>
> I actually had this problem from start, but back then it was so seldomly 
> occuring so I decided to live with it, say it occured like 1/20 or so 
> machines. But now it has escalated and it is rather 1/20 that got a working 
> certificate from start, actually when starting to banging my head against 
> the wall again yesterday I had two machines working, after adding an extra 
> timesync in the provisioning workflow, but that was shortlived happiness as 
> I've made 3 more machines after that with no success.
>
> So my first suspects on this was time and change of "security context", 
> but I think they're of the hook for the moment as I'm pretty confident in 
> that my time is right and that I to my knowledge have stayed in the same 
> security context.
>
> To make sure that I got the time right I have this runing under the 
> oobeSystem step in my provisioning workflow :
> *powershell.exe -noprofile -executionpolicy bypass -command "& 
> {Start-Service W32Time -ErrorAction SilentlyContinue; .\w32tm.exe /resync}"*
>
> After installing chocolatey and the puppet agent the agent phones home 
> like this (command composed from how this is done in the Linux half of our 
> department):
> *powershell.exe -noprofile -executionpolicy bypass -command " & {& 
> 'C:\Program Files\Puppet Labs\Puppet\bin\puppet.bat' agent -o --tags 
> no_such_tag --no-daemonize}"*
>
> The user loging on and running the commands are the local administrator 
> account, to be extra thorough I logged on as that account trying to run a 
> *puppet 
> agent -t *after the host is built, just to be sure there was no logon 
> account related stuff going on, but no difference.
>
> Following the steps in the error message, generating a new certificate, 
> ofcourse works, but we can all see the inconvinience of dowing that 
> constantly on newly provisioned hosts, right?
>
> I think that sums things up quite good, as said I've been baning my head 
> against this, while not ignoring it, could still be something fishy going 
> on on the puppetmaster that is not managed by me, but me colleauges in the 
> linux neighborhood don't ecperience this so it is seemingly something to do 
> with the Windows hosts.
>
> Cheers,
> Fredrik
>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e8b513af-bc37-4f36-9b56-6da52cf45d48%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to