Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2354

agent is confused about cert state

    Details

    • CS Priority:
      Reviewed
    • Release Notes:
      Bug Fix
    • Release Notes Summary:
      Puppet agents no longer get stuck if the server has a CSR or cert from a previous instance of the agent. This enables the `allow_duplicate_certs` setting to work as expected.

      Description

      On my master, I set:

      [main]
        allow_duplicate_certs = true
      

      on the master, I regenerate a private key, I get the failure:

      root@cygnet-2:~# puppet agent -t --ssldir=/tmp/
      info: Creating a new SSL key for cygnet-2.cygnet.lab
      warning: peer certificate won't be verified in this SSL session
      info: Caching certificate for ca
      warning: peer certificate won't be verified in this SSL session
      info: Caching certificate for cygnet-2.cygnet.lab
      err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
      Certificate fingerprint: B5:FE:4C:B6:D8:75:2C:8D:FD:05:48:53:43:DC:B4:10
      To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
      On the master:
        puppet cert clean cygnet-2.cygnet.lab
      On the agent:
        rm -f /tmp/certs/cygnet-2.cygnet.lab.pem
        puppet agent -t
      

      It appears that the agent does not actually resend its cert req if one already exists, meaning that allow duplicate certs does not work with puppet agent.

      This issue was observed with Puppet 2.7.12, but I do not believe it is a regression.

        Attachments

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  redmine.exporter redmine.exporter
                  QA Contact:
                  Erik Dasher
                • Votes:
                  10 Vote for this issue
                  Watchers:
                  28 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved:

                    Zendesk Support