puppet certificate generate fails for mcollective client
94 views
Skip to first unread message
treydock
Mar 25, 2014, 6:58:46 PM3/25/14
to puppet...@googlegroups.com
Following the mcollective documentation [1] for adding clients to execute mco commands when using SSL I am getting an error executing the 'puppet certificate generate' command as my user account. I feel like I'm missing something very obvious here.
$ puppet certificate generate treydock --ssldir ~/.mcollective.d/credentials --ca-location remote --ca_server puppet.<DOMAIN>
Error: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: E3:EA:FA:AD:68:53:D8:AF:DB:63:C9:2A:89:CC:68:AA:4F:B2:35:F6:9F:8C:E0:3C:3F:56:D5:1F:41:45:0D:53
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean login3.<DOMAIN>
On the agent:
rm -f /home/treydock/.mcollective.d/credentials/certs/login3.<DOMAIN>.pem
puppet agent -t
Error: Try 'puppet help certificate generate' for usage
This happens from all my systems.
The host 'login3' puppet.conf (comments removed):
$ cat /etc/puppet/puppet.conf
[main]
logdir = /var/log/puppet
rundir = /var/run/puppet
ssldir = $vardir/ssl
privatekeydir = $ssldir/private_keys { group = service }
hostprivkey = $privatekeydir/$certname.pem { mode = 640 }
autosign = $confdir/autosign.conf { mode = 664 }
[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
default_schedules = false
report = true
pluginsync = true
masterport = 8140
environment = production
certname = login3.brazos.tamu.edu
server = puppet.brazos.tamu.edu
listen = false
splay = false
runinterval = 3600
noop = true
show_diff = true
configtimeout = 120
Thanks
- Trey
Jon McKenzie
Apr 13, 2015, 11:58:07 AM4/13/15
to puppet...@googlegroups.com
I had this issue as well. To get around it you can pass an extra option: --certname <NAME>
This way it won't try to use your current host's FQDN as the certname (which will fail if it's already registered with the CA)
So, e.g.
puppet certificate generate treydock --certname treydock <rest of options>
This way it won't try to use your current host's FQDN as the certname (which will fail if it's already registered with the CA)
So, e.g.
puppet certificate generate treydock --certname treydock <rest of options>
Reply all
Reply to author
Forward
0 new messages