Borked Client Cert in 0.25

216 views
Skip to first unread message

Douglas Garstang

unread,
Jun 27, 2010, 3:34:06 PM6/27/10
to Puppet Users
Here we go with puppet 0.25 certificate problems again.

I had a system where puppet was running fine. I reinstalled it.
Running puppet on the client causes this:

"Could not request certificate: Retrieved certificate does not match
private key; please remove certificate from server and regenerate it
with the current key".

Fine... so I run 'puppetca --clean kick01.fr.xxx.com' on the server,
who responds with:

[root@inst01 puppet]# puppetca --clean kick01.fr.xxx.com
kick01.fr.xxx.com
notice: Removing file Puppet::SSL::Certificate kick01.fr.xxx.com at
'/var/lib/puppet/ssl/ca/signed/kick01.fr.xxx.com.pem'

I then rerun puppet on the client and I am getting the same error. I
must have done this hundreds of times with 0.24.8. What am I doing
wrong now?

Doug.

Douglas Garstang

unread,
Jun 27, 2010, 3:47:38 PM6/27/10
to Puppet Users

*sigh*

On the client, I removed the puppet rpm, blew away /var/lib/puppet,
and reinstalled the puppet rpm again. Started puppet, it requested a
certificate (but it logged nothing on the client about it, even in
debug mode), signed it on the server, and I am still getting this on
the client.

warning: peer certificate won't be verified in this SSL session
info: Caching certificate for kick01.fr.xxx.com
err: Could not request certificate: Retrieved certificate does not


match private key; please remove certificate from server and
regenerate it with the current key

*sigh*

Douglas Garstang

unread,
Jun 27, 2010, 3:50:59 PM6/27/10
to Puppet Users
On Sun, Jun 27, 2010 at 12:47 PM, Douglas Garstang

Puppet is on crack. Even when the server isn't running, I STILL get this error!

Patrick Mohr

unread,
Jun 27, 2010, 4:33:48 PM6/27/10
to puppet...@googlegroups.com

I think I know what the problem is. I ran into this exact error message before. Try this:

Step 1, run this on client:
service puppet stop
rm -R /var/lib/puppet

Step 2, run this on server:
puppetca --clean kick01.fr.xxx.com #Make sure to change this back

Step 3, run this on client:
#Restart the client how ever you like. I recommend this for testing:
puppetd --test --verbose --debug


I'm pretty sure this will work. If it does, I'll by happy to explain why you got all those different error messages.

Douglas Garstang

unread,
Jun 27, 2010, 5:40:38 PM6/27/10
to puppet...@googlegroups.com

Thanks Patrick. I got it to work somehow, with some magic combination
of commands, which may be what you suggested. Next time it happens
(and that won't be too far off), I'll try running through your steps.

Doug.

Patrick Mohr

unread,
Jun 27, 2010, 6:39:56 PM6/27/10
to puppet...@googlegroups.com
This is an approximation of what probably happened.  This is just to give a general idea, and may have some minor errors.

When a client wants to get a signed certificate, it normally goes through these steps:
1) Client generates a private key.
2) Client generates a Certificate Sign Request (CSR) from its private key and other information.
3) Client contacts server.
4) If client doesn't have ca.pem, if downloads it from the server at this point
5) Client sends its CSR to the server and asks for its signed certificate.
6) If server has a signed certificate for that client name, it sends the certificate to the client.

What probably happened with your client:
1) Client generates a private key.
2) Client generates a Certificate Sign Request (CSR) from its private key and other information.
3) Client contacts server.
4) If client doesn't have ca.pem, if downloads it from the server at this point
5) Client sends its CSR to the server and asks for its signed certificate.
6) If server has a signed certificate for that client name, it sends the certificate to the client.
7) Client is wiped
8) Client generates a private key.
9) Client generates a Certificate Sign Request (CSR) from its private key and other information.
10) Client contacts server.
11) If client doesn't have ca.pem, if downloads it from the server at this point
12) Client sends its CSR to the server and asks for its signed certificate.
13) Server sees that it already has the old signed certificate for that name and sends that certificate and ignores the CSR.
14) Client trys to use its certificate, but the cert matches the old private key instead of the new key so the certificate is unusable.

At this point, even if the client can't see the server, it still has a key/cert pair that doesn't match each other so it will still give the same error message.

Robert Krombholz

unread,
Jun 27, 2010, 4:16:50 PM6/27/10
to puppet...@googlegroups.com
Hi,

had the same problem a few days ago (luckily only in a test environment).
It seems that puppetca --clean ... is not enough in this case.
For me it was solved be deleting the corresponding cert from
/etc/puppet/ssl/certs on the server & the client.

Robert

Reply all
Reply to author
Forward
0 new messages