Cert error after changing the node FQDN

[Cesar]

Hi all,

I have seen this behaviour and I am not sure of why it is happening.

There's a node that is using Puppet normally:

May 20 20:58:18 node1dot90 puppet-agent[50057]: Finished catalog run in 41.90 seconds

Then Puppet was restarted, and after the restart the agent noticed that the FQDN had changed (from node1dot90 to node1dot90.myvpn.com). Therefore, it tried to recreate its cert:

May 20 20:58:26 node1dot90 puppet-agent[24886]: Caught TERM; calling stop
May 20 20:58:27 node1dot90 puppet-agent[62421]: Reopening log files
May 20 20:58:27 node1dot90 puppet-agent[62415]: Creating a new SSL key for node1dot90.myvpn.com
May 20 20:58:28 node1dot90 puppet-agent[62415]: Creating a new SSL certificate request for node1dot90.myvpn.com
May 20 20:58:28 node1dot90 puppet-agent[62415]: Certificate Request fingerprint (SHA256): BF:72:B6:08:C8:48:D3:3F:C8:E4:7C:E8:D0:CD:60:97:A1:2F:DE:3A:4C:C3:5C:61:25:FE:A4:53:79:D2:C1:54
May 20 20:58:28 node1dot90 puppet-agent[62415]: Caching certificate for node1dot90.myvpn.com

The Puppetmaster signed the cert:

May 20 20:58:28 ms1dot90 puppet-master[45608]: node1dot90.myvpn.com has a waiting certificate request
May 20 20:58:28 ms1dot90 puppet-master[45608]: Signed certificate request for node1dot90.myvpn.com
May 20 20:58:28 ms1dot90 puppet-master[45608]: Removing file Puppet::SSL::CertificateRequest node1dot90.myvpn.com at '/var/lib/puppet/ssl/ca/requests/node1dot90.myvpn.com.pem'

But then the agent failed because the certificate did not match

May 20 20:58:28 node1dot90 puppet-agent[62415]: Sleeping for 14 seconds (splay is enabled)
May 20 20:58:28 node1dot90 puppet-agent[62421]: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
May 20 20:58:28 node1dot90 puppet-agent[62421]: Certificate fingerprint: 82:B5:A1:4E:51:69:8B:3B:7D:09:4D:02:79:93:37:CE:53:B0:EA:95:83:AD:0D:13:17:EE:95:81:31:20:9F:76
May 20 20:58:28 node1dot90 puppet-agent[62421]: To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
May 20 20:58:28 node1dot90 puppet-agent[62421]: On the master:
May 20 20:58:28 node1dot90 puppet-agent[62421]:   puppet cert clean node1dot90.myvpn.com
May 20 20:58:28 node1dot90 puppet-agent[62421]: On the agent:
May 20 20:58:28 node1dot90 puppet-agent[62421]:   rm -f /var/lib/puppet/ssl/certs/node1dot90.myvpn.com.pem
May 20 20:58:28 node1dot90 puppet-agent[62421]:   puppet agent -t

How is that possible? If the Puppetmaster signed the certificate one second before there should be no mismatch, right?

Thanks!

Cesar.

This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please notify the system manager. This message contains confidential information and is intended only for the individual named. If you are not the named addressee you should not disseminate, distribute or copy this e-mail.