On Thursday, December 12, 2013 3:14:09 AM UTC-6, Dhanarajan Ponnurangam wrote: > > > Hi , > > I am new to this puppet. I am implementing a network where my cisco switch > will contact the puppet server for getting the configuration. > I tried installing open source puppet and was successful in pushing down > the configurations. > > I wanted then to try the same exercise with puppet enterprise 3.1. I > installed puppet enterprise in a different server and changed my puppet > agent (switch) to reflect this new server as the puppet master. > I have autosign.conf created under /etc/puppet-labs/puppet/ with the > entry *.<domain_name>.com. I have site.pp and other files specific for > cisco device as I had in previous exercise(open source puppet). > When I initiaite the puppet master using the command "puppet master -d > --no-daemonize" I see the following error in > /var/log/pe-puppet/masterhttp.log, > >
The agent created a certificate when it first ran, and requested that the original master -- which by default serves as CA -- to sign it. When you point that agent at a different master that, like the first, serves as its own CA, the agent continues to use its existing certificate. The new master does not recognize the original one as a trusted CA, however, so it rejects the agent's certificate. If necessary, it is possible to configure your masters to use a central CA instead of each serving as its own. If something like that is not done, however, then you need to clean out agents' certificates when you transfer them between masters. To do so, simply delete the client's entire puppet SSL directory, typically located at /var/lib/puppet/ssl. (But not on your master!) You will typically then also want to revoke the client's certificate and delete it from the original master ("puppet cert clean <certname>" for Puppet OS), though it's not strictly necessary to do so. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1ce004ab-b30d-421a-bb9a-ab674b55f6bc%40googlegroups.com. For more options, visit https://groups.google.com/groups/opt_out.