Ask Your Question

How to reuse agents FQDN

asked 2015-06-24 08:55:05 -0600

sinned gravatar image

I have a virtual machine template with puppet preinstalled. The ssldir is empty. So, when the puppet agent runs for the first time, it generates a new certificate and a new csr. Also, I put the master on autosign.

However, when the master has signed a certificate for the same FQDN previously, the agent runs on an error. The master won't sign another cert with the same FQDN.

When I see the error on the client in the log, I may delete the previous cert on the master (puppet cert clean fqdn). But this does not resolve the error. Upon the next run, the client still hangs on the same issue It says

Could not request certificate: The certificate retrieved from the master does not match the agent's private key.

which would be correct before the clean-command, but after? Which certificate could have been retrieved, after I deleted it?

To resolve this, I have to empty the ssldir on the agent after I cleaned the cert on the master. (The after is important)

First question: Why is there still an error after I cleaned the certificate from the master?

Second question: Can I configure the puppetmaster to just sign the certificate, even if it matches a previous fqdn? Maybe auto-replace the old one?

edit retag flag offensive close merge delete


I found this: It describes how to use a common certificate on all clients, so it would propably solve my issue, but I'd like to configure less on the agents...

sinned gravatar imagesinned ( 2015-06-24 09:20:13 -0600 )edit

can you confirm that the pem file was deleted in /var/lib/puppet/ssl/ca/signed?

maynero gravatar imagemaynero ( 2015-06-24 09:26:35 -0600 )edit

Two files get deleted when I run "puppet cert clean fqdn", one in /var/lib/puppet/ssl/ca/signed and another in /var/lib/puppet/ssl/certs. Both indeed get deleted (confirmed with ls). The behaviour of this issue is completely reproducible.

sinned gravatar imagesinned ( 2015-06-24 09:48:00 -0600 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2015-06-24 12:08:28 -0600

WhatsARanjit gravatar image

Each agent uses a config option called "certname" when it requests a certificate signing from the master. By default, the certname is set to the FQDN. Multiple servers can share the same FQDN, but they shouldn't share the same certname (private key). To change this, add a line to the [agent] section of your puppet.conf and set the certname equal to something unique. Alternately, when you decommission a node, look into clearing the certificate using the certificate API.

edit flag offensive delete link more


Thank you for the answer! I tried your solution, adding "certname=hostname-unixtimestamp.domain" and two other lines (node_name=facter, node_name_fact=fqdn) to the agents config. But now I have access errors, saying "Error 403: Forbidden request: <certname> access to /node/fqdn [find] authentica..."

sinned gravatar imagesinned ( 2015-06-25 07:38:08 -0600 )edit

Replacing "allow $1" with "allow *" 3 times works, although, I think this is not the most secure solution.

sinned gravatar imagesinned ( 2015-06-25 08:18:10 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-06-24 08:55:05 -0600

Seen: 716 times

Last updated: Jun 24 '15