Thursday, April 28, 2016

Puppet - "puppet ca list --all" Stupid Failure

From our Puppet master server, if I run "puppet ca list --all", it will fail with the following messages:
# puppet ca list --all

Error: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.

On the master:
  puppet cert clean puppet-master.xxx.com

On the agent:
  1a. On most platforms: find /var/lib/puppet/ssl -name puppet-master.xxx.com.pem -delete
  1b. On Windows: del "/var/lib/puppet/ssl/puppet-master.xxx.com.pem" /f
  2. puppet agent -t
 

First thing I did is to verify the fingerprint by using openssl command:
# openssl x509 -in /var/lib/puppet/ssl/ca/signed/puppet-master.xxx.com.pem -fingerprint -md5 -noout

and turns out the fingerprint does match. Then I tried the solution that suggested by the output, still getting the same error message. Also tried upgrade puppet to:
puppet-server-3.8.7-1.el7.noarch
puppetlabs-release-7-11.noarch
puppetdb-terminus-2.3.6-1.el7.noarch
puppetdb-2.3.8-1.el7.noarch
puppet-3.8.7-1.el7.noarch
Still no luck. This is a puppet bug I think, because you can use "puppet cert list --all" to get the correct output, all puppet clients still work fine, just "puppet ca list --all" always throw error (On puppet master). So conclusion: use "puppet cert list --all" instead. Please notify me if you found a solution for this.

No comments: