Hi mate, I use Puppet 2.6 but in this situation would run:
>From puppetmaster puppetca --revoke agent.foo.com puppetcat --clean agent.foo.com >From agent rm -rf /var/lib/puppet/ssl puppetd --waitforcert 30 --server puppetmaster -v >From puppetmaster puppetca --sign agent.foo.com On Thursday, October 4, 2012 4:14:14 AM UTC+1, mike sonero wrote: > > > Hi All, > > I apologize for what I'm sure is a very boneheaded question, but I'm > stuck. I have a number of puppet agents all talking to the same master. > Things worked great until at some point one of the agents stopped talking > to the master - I'm not sure why that happened. I decided to wipe its key > from the master and "start fresh". Unfortunately I haven't had any luck > getting them to play nicely. > > The agent is running 2.7.11. The master is running 2.7.1. They can ping, > do hostname lookups, etc to each other. > > When I attempt a manual update from the agent I see: > ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > warning: peer certificate won't be verified in this SSL session > Exiting; no certificate found and waitforcert is disabled > > Doing a "sudo puppet cert list" on the master shows nothing pending. > Running the server with debugging turned on shows the following: > ubuntu@puppet:/var/lib$ sudo puppetmasterd --no-daemonize --debug > --verbose > ...startup... > info: access[^/catalog/([^/]+)$]: allowing 'method' find > info: access[^/catalog/([^/]+)$]: allowing $1 access > info: access[^/node/([^/]+)$]: allowing 'method' find > info: access[^/node/([^/]+)$]: allowing $1 access > info: access[/certificate_revocation_list/ca]: allowing 'method' find > info: access[/certificate_revocation_list/ca]: allowing * access > info: access[/report]: allowing 'method' save > info: access[/report]: allowing * access > info: access[/file]: allowing * access > info: access[/certificate/ca]: adding authentication no > info: access[/certificate/ca]: allowing 'method' find > info: access[/certificate/ca]: allowing * access > info: access[/certificate/]: adding authentication no > info: access[/certificate/]: allowing 'method' find > info: access[/certificate/]: allowing * access > info: access[/certificate_request]: adding authentication no > info: access[/certificate_request]: allowing 'method' find > info: access[/certificate_request]: allowing 'method' save > info: access[/certificate_request]: allowing * access > info: access[/]: adding authentication any > info: Inserting default '/status'(auth) ACL because none were found in > '/etc/puppet/auth.conf' > info: Could not find certificate for 'agent.foo.com' > info: Could not find certificate for 'agent.foo.com' > info: Could not find certificate for 'agent.foo.com' > > I tried generating a key on the server (even though it said there was no > pending request) with: > cert generate agent.foo.com > > However, the client then reported: > ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose > --waitforcert 120 > err: Could not request certificate: The certificate retrieved from the > master does not match the agent's private key. > Certificate fingerprint: 51:E2:EC:3B:28:39:FB:24:95:38:AD:FE:D0:89:8C:93 > To fix this, remove the certificate from both the master and the agent > and then start a puppet run, which will automatically regenerate a > certficate. > On the master: > puppet cert clean agent.foo.com > On the agent: > rm -f /var/lib/puppet/ssl/certs/agent.foo.com.pem > puppet agent -t > > I followed those instructions, but now am back at the beginning... > > If anybody has ideas on things I might try I'd really appreciate it! > Sorry if I didn't include the right info. /var/log/syslog seemed pretty > empty. > > Thanks, > - mike > > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/UYOw8wirADsJ. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
