Puppet master does not list certificate request

2,118 views
Skip to first unread message

felix

unread,
May 22, 2012, 11:44:35 AM5/22/12
to puppet...@googlegroups.com
This seems to be fairly common, and I've tried master clean and client remove

and even tried removing all master / client ssl files 

and restarted the puppetmaster


both client/server are running 2.7.14

I did have master running 2.6.4 the first time I tried and I DID get the certificates recognized.
I ran into a problem and decided it was best that they were all running the same version.

but now despite removing ssl/ it is still ignoring me

the client sees:

sudo puppet agent --test server='blah.blah.com'
[sudo] password for crucial: 
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
warning: peer certificate won't be verified in this SSL session
Exiting; no certificate found and waitforcert is disabled

the master sees:

puppet master version 2.7.14
err: Removing mount files: /etc/puppet/files does not exist
info: access[^/catalog/([^/]+)$]: allowing 'method' find
info: access[^/catalog/([^/]+)$]: allowing $1 access
info: access[/certificate_revocation_list/ca]: allowing 'method' find
info: access[/certificate_revocation_list/ca]: allowing * access
info: access[/report]: allowing 'method' save
info: access[/report]: allowing * access
info: access[/file]: allowing * access
info: access[/certificate/ca]: adding authentication no
info: access[/certificate/ca]: allowing 'method' find
info: access[/certificate/ca]: allowing * access
info: access[/certificate/]: adding authentication no
info: access[/certificate/]: allowing 'method' find
info: access[/certificate/]: allowing * access
info: access[/certificate_request]: adding authentication no
info: access[/certificate_request]: allowing 'method' find
info: access[/certificate_request]: allowing 'method' save
info: access[/certificate_request]: allowing * access
info: access[/]: adding authentication any
info: Inserting default '~ ^/node/([^/]+)$' (auth true) ACL because none were found in '/etc/puppet/auth.conf'
info: Inserting default '/status' (auth true) ACL because none were found in '/etc/puppet/auth.conf'
info: Could not find certificate for 'crucial-systems.com'
info: Could not find certificate for 'crucial-systems.com'
info: Could not find certificate for 'crucial-systems.com'

but there are no certs waiting to be signed:

sudo puppet cert --list

I've tried generating manually on master:

sudo puppet cert generate crucial-systems.com

which interestingly enough says:

notice: crucial-systems.com has a waiting certificate request
notice: Signed certificate request for crucial-systems.com
notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at '/var/lib/puppet/ssl/ca/requests/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::CertificateRequest crucial-systems.com at '/var/lib/puppet/ssl/certificate_requests/crucial-systems.com.pem'

as though there was something waiting there

the client now fails because the certificate does not match

warning: peer certificate won't be verified in this SSL session
info: Caching certificate for crucial-systems.com
err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: 7F:7C:65:E6:4B:46:92:BC:47:09:6D:60:F5:EE:96:57
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
  puppet cert clean crucial-systems.com
On the agent:
  rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem
  puppet agent -t

Exiting; failed to retrieve certificate and waitforcert is disabled

try doing what I'm told and remove the master (the one just generated) and the local files:

# master
sudo puppet cert clean crucial-systems.com
notice: Revoked certificate with serial 8
notice: Removing file Puppet::SSL::Certificate crucial-systems.com at '/var/lib/puppet/ssl/ca/signed/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::Certificate crucial-systems.com at '/var/lib/puppet/ssl/certs/crucial-systems.com.pem'
notice: Removing file Puppet::SSL::Key crucial-systems.com at '/var/lib/puppet/ssl/private_keys/crucial-systems.com.pem'

# client
sudo rm -f /var/lib/puppet/ssl/certs/crucial-systems.com.pem

and I'm right back where I started:  the master sees the request and just ignores it, never stores any certificate request

thanks !



felix

unread,
May 22, 2012, 12:09:08 PM5/22/12
to puppet...@googlegroups.com

I've gotten it to work by removing the entire /var/lib/puppet/ssl on master and all clients.

It seems quite finicky.  more SSL errors now when I try to do any connection
Reply all
Reply to author
Forward
0 new messages