Ask Your Question
0

fingerprint changes after puppet cert --sign

asked 2014-04-30 06:59:32 -0500

norris gravatar image

updated 2014-04-30 07:21:18 -0500

I have an issue where my cert finger prints changes after I sign it on the master. This issue is not isolated to certificate requests that comes from clients. I removed the certs from the master itself, generated a new certificate and when I signed the newly generated, the fingerprint changes. Any help or input would be great appreciated.

[

root@puppet-master ssl]# puppet cert list --all
  ***"puppet-master"                                 (SHA256) 9E:F0:60:5B:6D:9B:00:AE:CE:69:7C:5F:5E:FD:6E:55:BF:1B:50:8E:F4:52:43:37:43:9A:47:5B:FF:BA:AA:A1*** (alt names: "DNS:puppet", "DNS:puppet-master")
+ "pe-internal-broker"                            (SHA256) 06:03:AF:62:CC:1B:21:74:3F:9A:F5:4D:1C:9F:ED:F1:CB:0B:82:38:CF:9A:EF:F3:91:42:9D:C2:7A:6C:60:6F (alt names: "DNS:pe-internal-broker", "DNS:puppet-master", "DNS:puppet-master.localdomain", "DNS:stomp")
+ "pe-internal-mcollective-servers"               (SHA256) A1:DB:AB:52:F9:9A:F5:44:C0:4A:6E:49:A4:A4:17:E6:E2:1C:24:1E:1A:BD:E8:C6:FE:A7:23:8F:7F:A9:07:81
+ "pe-internal-peadmin-mcollective-client"        (SHA256) C7:69:F3:21:D5:0C:72:5B:C3:CE:60:4A:3C:29:55:00:BE:D7:E7:39:48:C3:6C:E5:80:C0:97:CB:D6:41:9F:BA
+ "pe-internal-puppet-console-mcollective-client" (SHA256) CE:DA:E1:ED:09:27:93:88:05:E9:AE:19:AB:D1:00:60:01:F3:BF:D7:99:2C:6E:C5:4B:3D:52:B0:9A:F5:25:D0



[root@puppet-master ssl]# ***puppet cert --sign puppet-master***
Notice: Signed certificate request for puppet-master
Notice: Removing file Puppet::SSL::CertificateRequest puppet-master at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-master.pem'



[root@puppet-master ssl]# puppet cert list --all
+ "pe-internal-broker"                            (SHA256) 06:03:AF:62:CC:1B:21:74:3F:9A:F5:4D:1C:9F:ED:F1:CB:0B:82:38:CF:9A:EF:F3:91:42:9D:C2:7A:6C:60:6F (alt names: "DNS:pe-internal-broker", "DNS:puppet-master", "DNS:puppet-master.localdomain", "DNS:stomp")
+ "pe-internal-mcollective-servers"               (SHA256) A1:DB:AB:52:F9:9A:F5:44:C0:4A:6E:49:A4:A4:17:E6:E2:1C:24:1E:1A:BD:E8:C6:FE:A7:23:8F:7F:A9:07:81
+ "pe-internal-peadmin-mcollective-client"        (SHA256) C7:69:F3:21:D5:0C:72:5B:C3:CE:60:4A:3C:29:55:00:BE:D7:E7:39:48:C3:6C:E5:80:C0:97:CB:D6:41:9F:BA
+ "pe-internal-puppet-console-mcollective-client" (SHA256) CE:DA:E1:ED:09:27:93:88:05:E9:AE:19:AB:D1:00:60:01:F3:BF:D7:99:2C:6E:C5:4B:3D:52:B0:9A:F5:25:D0
***+ "puppet-master"                                 (SHA256) 4A:B0:C7:9E:1B:11:DE:5D:E6:B3:F8:6F:89:5C:BF:C2:67:A7:F0:C4:EB:42:96:B9:2F:4D:06:10:53:DB:93:9D*** (alt names: "DNS:puppet", "DNS:puppet-master")
edit retag flag offensive close merge delete

Comments

I've cleaned up the scenario by displaying less screen input and focusing on the fact that the cert fingerprint changes which leads to cert mismatches. How/ why does this happen ? [root@puppet-master log]# puppet cert fingerprint puppet-agent puppet-agent (SHA256) 25:4C:CB:1E:68:09:89:FA:80:F3:8D:7E:85:42:66:DF:FF:16:D5:1A:1F:8B:34:D6:3C:61:C4:DC:CC:E0:7E:EB [root@puppet-master log]# puppet cert --sign puppet-agent Notice: Signed certificate request for puppet-agent Notice: Removing file Puppet::SSL::CertificateRequest puppet-agent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppet-agent.pem' [root@puppet-master log]# puppet cert fingerprint puppet-agent puppet-agent (SHA256) 6A:07:E0:D3:43:E7:95:68:C8:E8:B4:D8:D5:94:B9:EC:D9:A0:C6:22:20:90:3E:80:5B:75:AC:5D:57:FF:5E:4F [root@puppet-master log]#

norris gravatar imagenorris ( 2014-05-01 05:38:11 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
0

answered 2014-05-05 02:30:21 -0500

doc75 gravatar image

I guess that this is due to the fact that first fingerprint in the on of the Certificate request and the second one is the fingerprint of the signed certificate.

Hope this helps.

edit flag offensive delete link more
0

answered 2014-05-01 08:06:54 -0500

norris gravatar image

I removed the puppet-master installation and performed a reinstall of pe-puppet. From my agent nodes, I performed puppet agent --test (to generate certs and requests). Signed the certs on the master and all is working well. Still did not get to the core of why the fingerprints were changed. Just glad to be moving forward. In case you run into this issue, it's best to start clean instead of chasing solutions down different rabbit holes.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2014-04-30 06:59:32 -0500

Seen: 420 times

Last updated: May 05 '14