Reputation: 485
puppet enterprise ssl cert error
I'm trying to install puppet enterprise on EC2.
The puppet server seems to work fine.
/etc/hosts :
127.0.0.1 puppet
puppet cert list --all : doesn't show anything
On the puppet agent :
/etc/hosts :
10.113.148.136 ip-10-113-148-136.ec2.internal ip-10-113-148-136 puppet
when I run "puppet agent --test"
Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
puppet cert clean bla1.example.com
On the agent:
rm -f /home/ubuntu/.puppet/ssl/certs/bla1.example.com.pem
puppet agent -t
When I run this command on the master. I get the error:
Error: Could not find a serial number for bla1.example.com
And when I run "puppet agent -t" I get the same error message
Also note that in the web-ui: bla1.example.com shows in the "unresponsive" list
When I run "puppet agent --server puppet --waitforcert 30 --test" I get the same error message and afterwards this message:
Info: Retrieving plugin
Error: /File[/home/ubuntu/.puppet/var/lib]: Failed to generate additional resources using 'eval_generate': SSL_CTX_use_PrivateKey:: key values mismatch
Error: /File[/home/ubuntu/.puppet/var/lib]: Could not evaluate: SSL_CTX_use_PrivateKey:: key values mismatch Could not retrieve file metadata for puppet://puppet/plugins: SSL_CTX_use_PrivateKey:: key values mismatch
Error: Could not retrieve catalog from remote server: SSL_CTX_use_PrivateKey:: key values mismatch
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_CTX_use_PrivateKey:: key values mismatch
Upvotes: 1
Views: 6550
Answers (3)
Reputation: 15767
Could not retrieve catalog from remote server: SSL_CTX_use_PrivateKey: key values mismatch
If you see those errors in your syslog from puppet agent interval runs (or when forced using pkill -SIGUSR1 puppet) after changing the certificates, try stop/starting the puppet agent. It may look like the agent is using the right Certificate fingerprint: ... value in the logs, but that error likely means the private key resident in memory doesn't match the new public cert.
Upvotes: 0
Reputation: 853
In the puppet.conf: server=FQDN does the FQDN in the agents puppet.conf match the private key FQDN in the puppet master in /var/lib/puppet/ssl/private_keys/? I think I ran into a similar issue.
Upvotes: 3
Related Questions
- Certificate Verify Failed [unable to get local issuer certificate for CN=puppetmaster.example.com]
- Puppet Server hostname 'puppetmaster' did not match server certificate
- Puppet:Server hostname 'puppetmaster' did not match server certificate; expected one of puppetmaster.us-east-2.compute.internal, DNS:puppet,
- Error in installing Puppeteer - SELF_SIGNED_CERT_IN_CHAIN on AWS workspace
- Puppet : Did not receive certificate
- Error: Could not find CSR for: domain when using puppet cert sign
- Error in installing puppet enterprise
- puppet ssl failed with message "unknown ca"
- Puppet ssl errors " SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed"
- EC2 Ubuntu 11.10 Puppet Hostname name mistmatch error