Received certificate does not match private key.
49 views
Skip to first unread message
Chris Johnson
Apr 19, 2014, 12:50:43 PM4/19/14
to puppet...@googlegroups.com
I know this has been asked about before, I've searched it. There seem to be two main responses. Synchronize clocks or start over with generating certificates. I've done both. And puppet used to work.
I have an mini virtual cluster set up using VBox running orginally CentOS 6.4. I provision it with cobbler and added puppet. Puppet was running great. I then had to upgrade to 6.5. I set up a new
cobbler server from the old, upgraded the clients and reinstalled puppet. I then tried setting puppet back up from scratch and now I'm getting this error from the clients. I'm using puppet and puppet-server
RPMS 2.7.25.-2.el6.noarch. Facter is installed. I've tried deleting all files in /var/lib/puppet on client and server and regeneration certificates in various orders. The clocks are synchronized two with one
second of each other and they all run ntpd. Still I get this error.
I give up. I have found nothing else to do. What am I missing please? Help. Thank you.
Chris Johnson.
I have an mini virtual cluster set up using VBox running orginally CentOS 6.4. I provision it with cobbler and added puppet. Puppet was running great. I then had to upgrade to 6.5. I set up a new
cobbler server from the old, upgraded the clients and reinstalled puppet. I then tried setting puppet back up from scratch and now I'm getting this error from the clients. I'm using puppet and puppet-server
RPMS 2.7.25.-2.el6.noarch. Facter is installed. I've tried deleting all files in /var/lib/puppet on client and server and regeneration certificates in various orders. The clocks are synchronized two with one
second of each other and they all run ntpd. Still I get this error.
I give up. I have found nothing else to do. What am I missing please? Help. Thank you.
Chris Johnson.
Ulysses Tinajero
Apr 20, 2014, 1:36:00 PM4/20/14
to puppet...@googlegroups.com
In the agent puppet.conf:
server=FQDN does the FQDN in the agents puppet.conf match the private key FQDN in the puppet master in /var/lib/puppet/ssl/private_keys/? 
Felix Frank
Apr 22, 2014, 10:54:24 AM4/22/14
to puppet...@googlegroups.com
to be certain.
The error basically tells you that the master does hand a certificate to
the agent, but it is not one the agent has a key for. This is what
someone will see if they try and fraud themselves to a catalog for one
of your nodes, but lacking your agent's valuable key.
What you want to do is to 'puppet cert clean <agent-fqdn>' on the
master. The old cert should still be showing up in 'puppet cert list
--all'. Then the agent should be able to place its new CSR.
Side question - is the master still as recent (or more so) as the agent?
Thanks,
Felix
Chris Johnson
Apr 22, 2014, 11:17:31 AM4/22/14
to puppet...@googlegroups.com, R. Christopher Johnson
On 4/22/14, 10:54 AM, Felix Frank wrote:
> *sigh* The excessive clearing of certs master side is painful to watch,
> to be certain.
>
> The error basically tells you that the master does hand a certificate to
> the agent, but it is not one the agent has a key for. This is what
> someone will see if they try and fraud themselves to a catalog for one
> of your nodes, but lacking your agent's valuable key.
>
> What you want to do is to 'puppet cert clean <agent-fqdn>' on the
> master. The old cert should still be showing up in 'puppet cert list
> --all'. Then the agent should be able to place its new CSR.
>
> Side question - is the master still as recent (or more so) as the agent?
>
> Thanks,
> Felix
>
Don't know how many times I tried that. No joy. I did get it to work
> *sigh* The excessive clearing of certs master side is painful to watch,
> to be certain.
>
> The error basically tells you that the master does hand a certificate to
> the agent, but it is not one the agent has a key for. This is what
> someone will see if they try and fraud themselves to a catalog for one
> of your nodes, but lacking your agent's valuable key.
>
> What you want to do is to 'puppet cert clean <agent-fqdn>' on the
> master. The old cert should still be showing up in 'puppet cert list
> --all'. Then the agent should be able to place its new CSR.
>
> Side question - is the master still as recent (or more so) as the agent?
>
> Thanks,
> Felix
>
though by upgrading all versions to 3.5.1 and their dependencies. The
master was 3.5.1 but the clients were 2.4 something. I thought there
was supposed to be backward compatibility. Maybe I missed something in
the release notes. Anyway I'm at 3.5.1 etc now on both ends and it's
working again.
And yes I did read the best practices on upgrades. Next time I'll take
the alternate master approach and upgrade nodes in small bunches using
the new master.
Tnx.
Chris.
Reply all
Reply to author
Forward
0 new messages