Thursday, April 28, 2016

Puppet - "puppet ca list --all" Stupid Failure

From our Puppet master server, if I run "puppet ca list --all", it will fail with the following messages:
# puppet ca list --all

Error: The certificate retrieved from the master does not match the agent's private key.
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.

On the master:
  puppet cert clean

On the agent:
  1a. On most platforms: find /var/lib/puppet/ssl -name -delete
  1b. On Windows: del "/var/lib/puppet/ssl/" /f
  2. puppet agent -t

First thing I did is to verify the fingerprint by using openssl command:
# openssl x509 -in /var/lib/puppet/ssl/ca/signed/ -fingerprint -md5 -noout

and turns out the fingerprint does match. Then I tried the solution that suggested by the output, still getting the same error message. Also tried upgrade puppet to:
Still no luck. This is a puppet bug I think, because you can use "puppet cert list --all" to get the correct output, all puppet clients still work fine, just "puppet ca list --all" always throw error (On puppet master). So conclusion: use "puppet cert list --all" instead. Please notify me if you found a solution for this.

No comments: