Discussion:
[Puppet Users] Certificate / Private Key Mismatch
Mike
2011-01-06 14:33:12 UTC
Permalink
Hi,

When I start puppetd on my client machine I get this message in /var/
log/messages:

Parsing /etc/puppet/puppet.conf
reopening log files
could not request certificate; retrieved certificate does not match
private key;
Please remove certificate from server and regenerate it with current
key
Could not retrieve catalog from remote server
Using cached catalog
Could not retrieve catalog
skipping run.

Has anyone seen this and know how to solve this problem? I saw in the
Puppet Dashboard that nodes were not reporting which led me to finding
the above messages in the logs. Thanks in advance for anyone's help in
solving this problem.

Mike
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Adam Heinz
2011-01-06 16:29:37 UTC
Permalink
I get that message when I rebuild a server in place. Puppetmaster is
complaining that the public key it expects for your node has changed.
On your puppetmaster as root, do:

find /var/lib/puppet/ssl/ -name $1.pem -delete
sed '/$1/d' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt
mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt

where $1 is the fqdn of the node.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
M***@ocfl.net
2011-01-06 16:34:48 UTC
Permalink
Hi Adam,

Thanks for the information. I will give this a try.

Mike

-----Original Message-----
From: puppet-***@googlegroups.com
[mailto:puppet-***@googlegroups.com] On Behalf Of Adam Heinz
Sent: Thursday, January 06, 2011 11:30 AM
To: puppet-***@googlegroups.com
Subject: Re: [Puppet Users] Certificate / Private Key Mismatch

I get that message when I rebuild a server in place. Puppetmaster is
complaining that the public key it expects for your node has changed.
On your puppetmaster as root, do:

find /var/lib/puppet/ssl/ -name $1.pem -delete sed '/$1/d'
/var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt mv -f
/tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt

where $1 is the fqdn of the node.

--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+***@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.


_____________________________________________________________________
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
M***@ocfl.net
2011-01-06 18:33:50 UTC
Permalink
Hi Adam,

This process seemed to work as far as keys go. However, when I
restarted the puppetd client now I get a message
In the log that states:
Starting puppet client version 2.6.4
Could not retrieve catalog from remote server; hostname was not a match
with the server certificate. Any ideas?

Thanks,

Mike

-----Original Message-----
From: puppet-***@googlegroups.com
[mailto:puppet-***@googlegroups.com] On Behalf Of
***@ocfl.net
Sent: Thursday, January 06, 2011 11:35 AM
To: puppet-***@googlegroups.com
Subject: RE: [Puppet Users] Certificate / Private Key Mismatch

Hi Adam,

Thanks for the information. I will give this a try.

Mike

-----Original Message-----
From: puppet-***@googlegroups.com
[mailto:puppet-***@googlegroups.com] On Behalf Of Adam Heinz
Sent: Thursday, January 06, 2011 11:30 AM
To: puppet-***@googlegroups.com
Subject: Re: [Puppet Users] Certificate / Private Key Mismatch

I get that message when I rebuild a server in place. Puppetmaster is
complaining that the public key it expects for your node has changed.
On your puppetmaster as root, do:

find /var/lib/puppet/ssl/ -name $1.pem -delete sed '/$1/d'
/var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt mv -f
/tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt

where $1 is the fqdn of the node.

--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+***@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.


_____________________________________________________________________
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.

--
You received this message because you are subscribed to the Google
Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+***@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.


_____________________________________________________________________
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Adam Heinz
2011-01-07 14:17:38 UTC
Permalink
 This process seemed to work as far as keys go. However, when I
restarted the puppetd client now I get a message
Starting puppet client version 2.6.4
Could not retrieve catalog from remote server; hostname was not a match
with the server certificate. Any ideas?
When I paste your error message into Google, I get...

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573416
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
M***@ocfl.net
2011-01-07 15:23:33 UTC
Permalink
Hi Adam,

Thanks for the link. I actually figured out the problem yesterday as being a name resolution issue. Sort
of exactly what the Google bug article indicated.

Mike

-----Original Message-----
From: puppet-***@googlegroups.com [mailto:puppet-***@googlegroups.com] On Behalf Of Adam Heinz
Sent: Friday, January 07, 2011 9:18 AM
To: puppet-***@googlegroups.com
Subject: Re: [Puppet Users] Certificate / Private Key Mismatch
 This process seemed to work as far as keys go. However, when I
restarted the puppetd client now I get a message In the log that
Starting puppet client version 2.6.4
Could not retrieve catalog from remote server; hostname was not a
match with the server certificate. Any ideas?
When I paste your error message into Google, I get...

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=573416

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.


_____________________________________________________________________
PLEASE NOTE: Florida has a very broad public records law (F. S. 119).
All e-mails to and from County Officials are kept as a public record.
Your e-mail communications, including your e-mail address may be
disclosed to the public and media at any time.
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Daniel Pittman
2011-01-06 17:48:28 UTC
Permalink
I get that message when I rebuild a server in place.  Puppetmaster is
complaining that the public key it expects for your node has changed.
find /var/lib/puppet/ssl/ -name $1.pem -delete
sed '/$1/d' /var/lib/puppet/ssl/ca/inventory.txt > /tmp/inventory.txt
mv -f /tmp/inventory.txt /var/lib/puppet/ssl/ca/inventory.txt
where $1 is the fqdn of the node.
A better way to do this is to use the Puppet CA application:

] puppet cert --clean $1 # $1 is the node name, as before

(on older releases, puppetca --clean)

That does pretty much the same thing, but does the right locking and
everything else. Plus, if you suddenly need to start doing something
more on the node puppet labs will update that application to do it,
while the DIY version means you need to know what goes on inside our
CA. :)

Regards,
Daniel
--
✉ Daniel Pittman <***@rimspace.net>
⌨ ***@rimspace.net (XMPP)
☎ +1 503 893 2285
♻ made with 100 percent post-consumer electrons
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Adam Heinz
2011-01-06 18:49:17 UTC
Permalink
] puppet cert --clean $1  # $1 is the node name, as before
(on older releases, puppetca --clean)
That does pretty much the same thing, but does the right locking and
everything else.  Plus, if you suddenly need to start doing something
more on the node puppet labs will update that application to do it,
while the DIY version means you need to know what goes on inside our
CA. :)
Thanks for the tip. I don't know why I didn't think to checkif
puppetca had that facility -- I call puppetca --sign just a couple
lines below that in my bootstrap script. X-D
--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-***@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+***@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Loading...