SSL certs have to be cleaned daily?

asked 2015-03-03 13:06:28 -0600

edmanet gravatar image

I manage several few locations, each with a puppet master and several clients. I am having trouble keeping the certs clean. Yesterday I had a working environment, but today after the clients' daily reboot, the SSL certs had to be cleaned.

pclient:~ # puppet agent --test
warning: iconv doesnt seem to support UTF-8/UTF-16 conversions
err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
Exiting; failed to retrieve certificate and waitforcert is disabled

The puppet log also shows the error:

Tue Mar 03 13:24:43 -0500 2015 Puppet (err): Could not retrieve catalog from remote server: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
Tue Mar 03 13:24:43 -0500 2015 Puppet (notice): Using cached catalog
Tue Mar 03 13:24:43 -0500 2015 Puppet (err): Could not retrieve catalog; skipping run

What confuses me is that md5sums for the certs match on the master and client:

162270fc3e742a91777b8272824e2da4  pmaster:/var/lib/puppet/ssl_master/ca/signed/pclient.mydomain.net.pem
162270fc3e742a91777b8272824e2da4  pclient:/var/lib/puppet/ssl/certs/pclient.mydomain.net.pem

Why do I have to clean the certs every day? Is it the daily reboot on the client that makes it fail?
Is there a way I can configure the master or the client to use the certs that it has?

edit retag flag offensive close merge delete

Comments

Is this behavior consistent across all of the locations that you manage, e.g. for each set of Puppet master and its associated agent nodes? Is there any process that syncs certificates across all masters, or are you using a separate CA server?

GregLarkin gravatar imageGregLarkin ( 2015-03-05 16:41:46 -0600 )edit