ssl signing issue
18 views
Skip to first unread message
Chris
Jun 29, 2014, 11:23:38 PM6/29/14
to puppet...@googlegroups.com
Hi,
I'm trying to get signing right and have come up with a weird situation.
Both master and client are running 3.6.2 (rpms from puppetlabs).
client config:
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppet-master
ca_server = puppet-master
report = true
# 2 mins.
runinterval = 120
factpath = /etc/facter/facts.d
pluginsync = true
environment = production
master:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
reports = store
environmentpath = $confdir/environments
factpath = /etc/facter/facts.d
storeconfigs = true
storeconfigs_backend = puppetdb
client generates a cert fine:
Info: Creating a new SSL key for client
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client
Info: Certificate Request fingerprint (SHA256):
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
master gets it:
# puppet ca list
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
and has signed itself:
# puppet ca list --all
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
+ puppet-master (SHA256)
65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
So I sign it:
# puppet ca sign client
Notice: Signed certificate request for client
Notice: Removing file Puppet::SSL::CertificateRequest
client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
"-----BEGIN CERTIFICATE-----\n....cert contents here....
Then the problems start:
# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent's private key.
Certificate fingerprint:
B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
I've double checked my configs against a separate working install
(though that doesn't have puppetdb) and can't see anything obviously wrong.
I'm not sure where to start looking at this so thanks for any help.
--
Postgresql & php tutorials
http://www.designmagick.com/
I'm trying to get signing right and have come up with a weird situation.
Both master and client are running 3.6.2 (rpms from puppetlabs).
client config:
[main]
vardir = /var/lib/puppet
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = /var/lib/puppet/ssl
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppet-master
ca_server = puppet-master
report = true
# 2 mins.
runinterval = 120
factpath = /etc/facter/facts.d
pluginsync = true
environment = production
master:
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
reports = store
environmentpath = $confdir/environments
factpath = /etc/facter/facts.d
storeconfigs = true
storeconfigs_backend = puppetdb
client generates a cert fine:
Info: Creating a new SSL key for client
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for client
Info: Certificate Request fingerprint (SHA256):
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
master gets it:
# puppet ca list
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
and has signed itself:
# puppet ca list --all
client (SHA256)
D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
+ puppet-master (SHA256)
65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
So I sign it:
# puppet ca sign client
Notice: Signed certificate request for client
Notice: Removing file Puppet::SSL::CertificateRequest
client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
"-----BEGIN CERTIFICATE-----\n....cert contents here....
Then the problems start:
# puppet ca list --all
Error: The certificate retrieved from the master does not match the
agent's private key.
Certificate fingerprint:
B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
To fix this, remove the certificate from both the master and the agent
and then start a puppet run, which will automatically regenerate a
certficate.
I've double checked my configs against a separate working install
(though that doesn't have puppetdb) and can't see anything obviously wrong.
I'm not sure where to start looking at this so thanks for any help.
--
Postgresql & php tutorials
http://www.designmagick.com/
Martin Alfke
Jun 30, 2014, 2:24:30 AM6/30/14
to puppet...@googlegroups.com
Hi Chris,
- Martin
On 30 Jun 2014, at 05:23, Chris <dma...@gmail.com> wrote:
>
> master gets it:
> # puppet ca list
> client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
>
> and has signed itself:
> # puppet ca list --all
> client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
> + puppet-master (SHA256) 65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
>
> So I sign it:
> # puppet ca sign client
> Notice: Signed certificate request for client
> Notice: Removing file Puppet::SSL::CertificateRequest client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
> "-----BEGIN CERTIFICATE-----\n....cert contents here....
>
>
> Then the problems start:
>
> # puppet ca list --all
> Error: The certificate retrieved from the master does not match the agent's private key.
> Certificate fingerprint: B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
> To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
Will the same problem occur when using puppet cert instead of puppet ca?
>
> master gets it:
> # puppet ca list
> client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
>
> and has signed itself:
> # puppet ca list --all
> client (SHA256) D4:6D:33:FE:33:98:C1:42:77:ED:D3:33:16:8D:A0:C6:37:1F:90:6B:03:D2:EC:79:52:FF:03:2E:8C:7F:D8:50
> + puppet-master (SHA256) 65:CE:54:5B:0A:93:5A:43:B4:D6:26:21:5C:99:F5:E9:3B:B3:59:98:4C:5C:84:24:A6:2D:06:C4:FC:DF:2F:A9
>
> So I sign it:
> # puppet ca sign client
> Notice: Signed certificate request for client
> Notice: Removing file Puppet::SSL::CertificateRequest client2.squiz.local at '/var/lib/puppet/ssl/ca/requests/client.pem'
> "-----BEGIN CERTIFICATE-----\n....cert contents here....
>
>
> Then the problems start:
>
> # puppet ca list --all
> Error: The certificate retrieved from the master does not match the agent's private key.
> Certificate fingerprint: B5:2C:39:40:27:31:47:4F:89:A8:75:EB:8D:1C:16:B9:31:14:4D:BE:B3:DD:AB:81:0E:F4:E4:F2:73:CC:C1:B9
> To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
- Martin
Chris
Jun 30, 2014, 9:14:51 PM6/30/14
to puppet...@googlegroups.com
Reply all
Reply to author
Forward
0 new messages