Hi All,
I apologize for what I'm sure is a very boneheaded question, but I'm
stuck. I have a number of puppet agents all talking to the same master.
Things worked great until at some point one of the agents stopped talking
to the master - I'm not sure why that happened. I decided to wipe its key
from the master and "start fresh". Unfortunately I haven't had any luck
getting them to play nicely.
The agent is running 2.7.11. The master is running 2.7.1. They can ping,
do hostname lookups, etc to each other.
When I attempt a manual update from the agent I see:
ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled
Doing a "sudo puppet cert list" on the master shows nothing pending.
Running the server with debugging turned on shows the following:
ubuntu@puppet:/var/lib$ sudo puppetmasterd --no-daemonize --debug
--verbose
...startup...
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[^/node/([^/]+)$]: allowing 'method' find
info: access[^/node/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing 'method' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Inserting default '/status'(auth) ACL because none were found in
'/etc/puppet/auth.conf'
info: Could not find certificate for 'agent.foo.com'
info: Could not find certificate for 'agent.foo.com'
info: Could not find certificate for 'agent.foo.com'
I tried generating a key on the server (even though it said there was no
pending request) with:
cert generate agent.foo.com
However, the client then reported:
ubuntu@agent:~$ sudo puppet agent --onetime --no-daemonize --verbose
--waitforcert 120
err: Could not request certificate: The certificate retrieved from the
master does not match the agent's private key.
Certificate fingerprint: 51:E2:EC:3B:28:39:FB:24:95:38:AD:FE:D0:89:8C:93
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
On the master:
puppet cert clean agent.foo.com
On the agent:
rm -f /var/lib/puppet/ssl/certs/agent.foo.com.pem
puppet agent -t
I followed those instructions, but now am back at the beginning...
If anybody has ideas on things I might try I'd really appreciate it! Sorry
if I didn't include the right info. /var/log/syslog seemed pretty empty.
Thanks,
- mike
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/4P4Iu7xlZIwJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
