Monday, August 13, 2012

Puppet client cert clash

Im starting to add Puppet to my skillset.

I made a mistake on my test vm, so I rebuilt it, and I thought, just doing a :

puppetca --revoke puppetclient1.test.com

Would suffice ... I was wrong.

For I got  

root@puppetclient1:~# puppetd --waitforcert 60 -t --server puppetmaster.test.com
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
err: Could not retrieve catalog from remote server: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run


I found out that you actually need to
a) On the client, cd to '/var/lib/puppet/ssl/'. Just run 'find .', and then rm only those certs that are applicable to your client (Dont rm ca.pem).
b) On the puppetmaster, run, 'puppetca clean puppetclient1.test.com'
c) On the puppet client run 'puppetd --waitforcert 60 -t --server puppetmaster.test.com'
d) On the puppet master, puppetca --sign puppetclient1.test.com

HTH
Brent