From our Puppet master server, if I run "puppet ca list --all", it will fail with the following messages:
# puppet ca list --all
Error: The certificate retrieved from the master does not match the agent's private key.
Certificate fingerprint: XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX:XX
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
On the master:
puppet cert clean puppet-master.xxx.com
On the agent:
1a. On most platforms: find /var/lib/puppet/ssl -name puppet-master.xxx.com.pem -delete
1b. On Windows: del "/var/lib/puppet/ssl/puppet-master.xxx.com.pem" /f
2. puppet agent -t
First thing I did is to verify the fingerprint by using openssl command:
# openssl x509 -in /var/lib/puppet/ssl/ca/signed/puppet-master.xxx.com.pem -fingerprint -md5 -noout
and turns out the fingerprint does match.
Then I tried the solution that suggested by the output, still getting the same error message.
Also tried upgrade puppet to:
puppet-server-3.8.7-1.el7.noarch
puppetlabs-release-7-11.noarch
puppetdb-terminus-2.3.6-1.el7.noarch
puppetdb-2.3.8-1.el7.noarch
puppet-3.8.7-1.el7.noarch
Still no luck.
This is a puppet bug I think, because you can use "puppet cert list --all" to get the correct output, all puppet clients still work fine, just "puppet ca list --all" always throw error (On puppet master).
So conclusion:
use "puppet cert list --all" instead.
Please notify me if you found a solution for this.
No comments:
Post a Comment