Details
-
Bug
-
Status: Closed
-
Critical
-
Resolution: Fixed
-
None
-
None
-
Coremunity
-
1
-
Client 2016-05-18
-
Reviewed
-
Bug Fix
-
Puppet agents no longer get stuck if the server has a CSR or cert from a previous instance of the agent. This enables the `allow_duplicate_certs` setting to work as expected.
Description
On my master, I set:
[main]
|
allow_duplicate_certs = true
|
on the master, I regenerate a private key, I get the failure:
root@cygnet-2:~# puppet agent -t --ssldir=/tmp/
|
info: Creating a new SSL key for cygnet-2.cygnet.lab
|
warning: peer certificate won't be verified in this SSL session
|
info: Caching certificate for ca
|
warning: peer certificate won't be verified in this SSL session
|
info: Caching certificate for cygnet-2.cygnet.lab
|
err: Could not request certificate: The certificate retrieved from the master does not match the agent's private key.
|
Certificate fingerprint: B5:FE:4C:B6:D8:75:2C:8D:FD:05:48:53:43:DC:B4:10
|
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate.
|
On the master:
|
puppet cert clean cygnet-2.cygnet.lab
|
On the agent:
|
rm -f /tmp/certs/cygnet-2.cygnet.lab.pem
|
puppet agent -t
|
It appears that the agent does not actually resend its cert req if one already exists, meaning that allow duplicate certs does not work with puppet agent.
This issue was observed with Puppet 2.7.12, but I do not believe it is a regression.
