Bad certificate on reinstallation

Niels_Basjes · July 11, 2014, 3:21pm

Hi,

I have 'empty' new system.

I set the system to "Build" on the next run.
That first run starts, installs the OS and completes all the puppet
stuff.
Again I set the system to "Build" on the next run.
That second run starts, installs the OS and then fails on puppet.
The messages shown in my /var/log/messages (condensed):

*Creating a new SSL key for <hostname> *
*Caching certificate for <hostname> *

*Could not request certificate: The certificate retrieved from the master
does not match the agent's private key. *
5. On the master I then do rm
/var/lib/puppet/ssl/ca/signed/<hostname>.pem
6. Again I set the system to "Build" on the next run.
7. Now the reinstallation succeeds.

So after I manually remove the signed certificate on the master and the
certificates on the client the installation continues as normal.

This "manual" way of fixing these puppet certificates doesn't feel right.
What is the right way to do this (i.e. simply let a reinstallation succeed)?

Niels Basjes

Niels_Basjes · July 14, 2014, 8:11am

>
> So after I manually remove the signed certificate on the master and the
> certificates on the client the installation continues as normal.
>
> This "manual" way of fixing these puppet certificates doesn't feel right.
> What is the right way to do this (i.e. simply let a reinstallation
> succeed)?
>
>
I found the following that solves my problem:
The code has been written in such a way that at the moment the provisioning
script is retrieved by the host the 'old' certificate is also removed.
Apparently this doesn't work somehow.

I found that the ipxe script I was using had this part in the parameter
list:

    ks=&lt;%= foreman_url(&quot;provision&quot;)%&gt;?static=yes

The rendered version looks like this:

http://foreman.example.com/unattended/provision?token=8c1fe29f-5c68-4fc0-bfa0-541db1f6a61a?static=yes

In the logging I found this:

    Parameters:

{"token"=>"8c1fe29f-5c68-4fc0-bfa0-541db1f6a61a?static=yes"}

In a normal querystring the second parameter 'must' have a '&' instead of a
'?'. Apparently if you get this wrong the whole parsing fails.

When I changed it into:

    ks=&lt;%= foreman_url(&quot;provision&quot;)%&gt;&amp;static=yes

I saw this in the logging:

    Parameters: {&quot;token&quot;=&gt;&quot;8c1fe29f-5c68-4fc0-bfa0-541db1f6a61a&quot;,

"static"=>"yes"}
…
Remove puppet certificate for <hostname>

I then started digging where this came from and apparently this is from an
older version of Foreman (I did this installation late last year)
I found that this problem has already been resolved in the current versions
of the scripts:

Niels Basjes