Hello! For cleaning the cert on the master, are you trying to use `puppet cert clean`? This error message needs to be updated to instead say "On the master: use `puppetserver ca clean --certname <agent-cert-name>`". The `puppet cert` command was removed in 6.0.0, see https://puppet.com/docs/puppet/6.0/release_notes.html#puppet-600 and https://puppet.com/docs/puppetserver/6.0/subcommands.html#ca. But due to https://tickets.puppetlabs.com/browse/PUP-9155, it doesn't always correctly report its failure. Starting in 6.0.1, `puppet cert` will always error helpfully information about the new alternative commands. Please let me know if you are still having issues after trying `puppetserver ca clean`.
And regardless of whether this fixes your issue, we really appreciate your letting us know when our errors and/or docs are less than helpful. Thanks! Maggie On Fri, Sep 28, 2018 at 11:05 AM Andy Hall <[email protected]> wrote: > Just deployed a new puppet 6.0 client / server setup and getting the > classic CSR signing issue (see details below). Please help clarify my > understanding so I can troubleshoot this (I'm sure there's a quick fix for > this) : > > N.B. The usual "remove the SSL dir on the client and clean the cert on the > server" is NOT working. > > So I think this is what happens : > > 1. The agent creates an SSL cert and sends if to the master to be signed - > a Certificate Signing Request (CSR). > > 2. The master signs the cert with its own CA and the key of the agent. > > 3. The signed cert is returned to the agent which compares the keys to > ensure they match. > > It would seem that somehow the key being returned is mangled and doesn't > match so is rejected by the agent. > > This happens from the very first attempt to join an agent to the master > and I am at a loss of how to fix this. > > Here's is the request from the agent to the master : > > ==> /var/log/puppetlabs/puppetserver/puppetserver-access.log <== > 10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET /puppet-ca/v1/certificate/ > andy-puppet6-test.london.company.com HTTP/1.1" 404 65 "-" "Puppet/6.0.0 > Ruby/2.5.1-p57 (x86_64-linux)" 3 > 10.2.73.60 - - [28/Sep/2018:18:34:07 +0100] "GET > /puppet-ca/v1/certificate_request/andy-puppet6-test.london.company.com > HTTP/1.1" 200 1622 "-" "Puppet/6.0.0 Ruby/2.5.1-p57 (x86_64-linux)" 3 > > And here is the output from the agent : > > # puppet agent --test --noop > Info: Creating a new SSL key for andy-puppet6-test.london.company.com > Info: Downloaded certificate for ca from puppet > Error: Could not request certificate: The CSR retrieved from the master > does not match the agent's public key. > CSR fingerprint: > 9A:16:DA:95:9C:FB:90:89:78:EB:01:86:21:B0:24:E1:B0:66:80:43:ED:58:0B:A5:08:9C:24:60:C8:DE:F5:13 > CSR public key: Public-Key: (4096 bit) > Modulus: > 00:9c:ba:32:5e:c9:e9:72:7b:36:17:9a:aa:f6:8e: > e2:a4:73:0a:95:4d:ae:ca:81:96:1c:02:f3:45:e5: > 6e:13:70:e1:dc:83:dc:88:96:4c:5e:40:d1:eb:c4: > 62:81:8b:9f:25:96:1a:56:1d:ba:cd:25:a8:b2:21: > 72:e6:ef:f3:63:b1:02:65:19:4d:e8:28:9e:bf:40: > 04:c7:77:21:2f:5c:d8:20:07:63:60:c9:ac:75:44: > 34:d0:bd:cf:8c:ae:31:37:8a:16:f3:08:92:a4:c1: > 66:54:53:03:be:b4:02:17:52:93:c2:eb:42:82:90: > 5d:db:b6:92:b1:ae:21:f0:e0:a6:9e:04:4e:0f:eb: > 39:2f:17:f6:89:41:3a:08:b0:13:18:ff:82:2e:20: > cc:83:d6:67:f6:24:97:a2:8b:72:6d:c6:9c:99:cb: > 70:9d:2b:7b:bd:0a:21:0d:9d:51:7c:22:f8:d0:e3: > cc:f7:2a:d9:e0:09:8c:1b:f5:7a:6c:69:88:5b:d2: > 32:c2:c5:d7:b3:1d:c0:8f:23:a9:50:ab:1e:9b:4a: > cf:1e:f7:b3:de:7e:b6:b7:1e:ce:63:fd:ee:10:55: > 48:32:8c:46:65:c2:46:43:90:49:2a:d8:b0:02:96: > 19:71:e8:25:18:5f:c6:8f:79:67:36:da:03:04:83: > e1:06:6b:29:43:51:76:52:05:c9:22:d0:39:94:0b: > 3b:07:62:66:79:d4:5a:36:af:c4:a3:2f:e1:f9:7b: > 60:1b:55:33:31:52:87:87:53:41:85:86:58:64:ef: > 32:77:8e:33:8c:8d:b3:f5:82:e2:16:a4:6c:65:f0: > f0:10:71:98:f5:da:ae:c0:df:5f:fa:8a:58:8f:7d: > 69:4f:ea:8f:c7:36:22:f2:9f:85:30:c5:49:c6:ab: > f4:63:16:bd:ba:5d:a2:c1:06:8a:f9:6a:9b:bc:6a: > ee:01:2b:d2:75:cd:91:ad:a7:d1:45:e8:b6:a7:45: > 51:0b:20:3b:05:c6:0d:06:17:2d:44:a9:33:2e:51: > b8:0b:ce:d4:db:f2:33:b9:42:3d:2b:22:1a:1e:f8: > 09:14:43:9e:f0:82:8f:c8:71:74:8d:b2:ee:37:52: > 0b:af:5c:4d:94:48:b2:94:81:32:03:fc:b5:6a:a6: > f2:c5:59:3c:09:44:f3:57:2f:3e:11:3b:6e:6f:36: > af:66:a6:10:e0:c7:4f:6a:74:5a:aa:48:51:62:e9: > cd:1d:72:43:20:7a:8b:80:c9:0f:1c:14:a8:87:15: > ee:93:95:55:9e:ae:48:4c:e0:4b:63:0b:88:00:fd: > 1f:f1:30:a7:8b:d2:42:6a:1b:89:74:eb:46:67:c8: > 32:d9:e1 > Exponent: 65537 (0x10001) > > Agent public key: Public-Key: (4096 bit) > Modulus: > 00:cd:0a:ab:52:c8:34:62:3c:86:49:f5:18:7c:3c: > 96:90:3d:0b:53:f9:5c:48:a6:38:e4:2c:84:4a:af: > 5a:b7:1f:93:a7:4c:e5:dd:f3:a2:52:9d:b2:39:f4: > d3:2b:f0:8a:06:fd:f2:52:40:ec:9f:42:ed:b6:89: > 63:b0:ed:62:cf:77:91:87:27:e1:f9:0b:a5:b8:d1: > a6:96:96:24:db:43:9f:5b:bd:8f:d5:29:d8:2b:f1: > 57:2a:46:93:ce:cc:12:d4:e9:0d:24:fc:ef:42:11: > b8:db:a2:a3:51:23:bb:d4:97:18:a1:50:7a:7f:27: > 70:cb:95:24:3c:31:35:90:77:35:68:eb:4c:41:0b: > 1b:b3:1e:7b:2c:86:fa:72:27:3d:27:4c:71:07:13: > 6d:58:ed:95:04:69:15:4c:5b:f2:7e:8e:73:21:65: > 6e:eb:f1:64:ab:bc:67:55:1b:32:b9:1c:2c:c2:71: > 9f:06:fa:a2:61:b7:03:ec:69:f7:9b:64:21:d1:af: > 8a:ea:7b:99:48:7f:a0:27:f3:93:20:54:24:db:26: > b0:e7:38:24:fe:52:71:3c:79:f7:62:cf:97:e1:56: > 16:35:90:2d:9e:69:c0:b7:ca:31:45:64:d7:44:16: > 8c:1c:c2:a8:11:34:a4:ce:1e:37:61:c7:bb:94:16: > b1:e5:d7:74:70:67:56:e8:20:59:a5:12:39:01:95: > c2:ca:09:59:0d:a3:58:0a:1a:83:27:80:55:46:26: > 46:9b:9d:69:57:42:97:b1:7d:cb:1e:a7:65:99:47: > f4:e8:ae:72:0b:a4:10:32:68:46:8b:77:19:6a:7a: > fa:32:3c:f8:2d:ff:cf:55:c3:43:64:3f:56:eb:e2: > 8f:be:2d:d3:ec:55:d9:df:a4:c0:f4:ca:f7:44:38: > 71:3e:1f:29:c9:b1:dc:bb:04:a1:90:ab:d9:ce:2f: > 8b:77:87:ef:fa:47:c4:8c:ce:46:60:53:5c:d2:8f: > 7f:4a:ad:ec:54:10:49:18:0f:7e:10:a9:c9:a9:5e: > 8a:ce:2e:9d:55:19:95:fc:15:f2:35:1e:c0:81:f2: > 03:39:4a:11:2c:ab:ba:0e:da:d8:eb:e7:6c:dd:17: > 33:7b:16:c1:3b:ea:99:0f:0d:10:d2:94:0c:ee:0e: > cb:4f:91:2c:1a:a7:31:c5:23:f2:3d:13:45:a5:ba: > 66:b0:76:58:8e:4a:6d:18:66:5f:4d:d7:6d:30:5d: > 39:ef:5d:6f:1f:ab:61:68:3b:9a:80:3c:2b:8d:0f: > 84:1d:3b:4e:2c:d4:48:0f:52:c5:13:12:69:ad:0f: > cc:78:6b:01:8e:27:10:29:81:3d:a0:5e:ec:d9:d8: > 32:f0:cd > Exponent: 65537 (0x10001) > > To fix this, remove the CSR from both the master and the agent and then > start a puppet run, which will automatically regenerate a CSR. > On the master: > puppet cert clean andy-puppet6-test.london.company.com > On the agent: > 1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name > andy-puppet6-test.london.company.com.pem -delete > 1b. On Windows: del > "\etc\puppetlabs\puppet\ssl\certs\andy-puppet6-test.london.company.com.pem" > /f > 2. puppet agent -t > > So the big question is this : what exactly is the CSR public key and what > exactly is the agent public key and why should they match ? > > Any help would be most greatly appreciated ! > > Thanks very much. > > > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/7189ba10-f48c-46b6-8670-65861f4d9e3f%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/7189ba10-f48c-46b6-8670-65861f4d9e3f%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg1STR9-msXgXDz5FBEmn53_5MdYrJAny3o2x%3Dj75dpW8A%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
