Problem:
I create a host in Foreman via the API then install the Puppet agent and do a run. The first run creates an auto signed SSL certificate on the host and Puppet CA then continues to successfully complete the Puppet run. Every Puppet agent run after that fails until I remove the certificate from the host and Puppet CA server. After cleaning the certificate from the client and server, the next Puppet run will create a new certificate and all works normally from that point on.
Expected outcome:
All Puppet agent runs work once the initial certificate is auto signed.
Foreman and Proxy versions:
1.21.3
Distribution and version:
CentOS 7.7
What is the failure on the second run specifically? What is the output of a --debug --verbose run of the failure? Does the hosts certname = value match it’s fqdn?
More to go on would help. Certs can be difficult sometimes, but there is always a reason they aren’t working.
Output on first run (successful)
Info: Creating a new SSL key for asbtest0003.corp.dvn.com
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for asbtest0003.corp.dvn.com
Info: Certificate Request fingerprint (SHA256): 0E:45:DA:A1:59:B8:98:10:3C:0D:4D:2D:6F:9E:FB:F4:D9:F1:74:7B:49:87:A1:B6:8A:FE:83:AA:4B:66:56:98
Info: Caching certificate for asbtest0003.corp.dvn.com
Info: Caching certificate_revocation_list for ca
Info: Caching certificate for ca
Info: Using configured environment ‘nonproduction’
Info: Retrieving pluginfacts
Info: Retrieving plugin
Hostname matches the certname in puppet.conf and no other change is made, but if I try to make a second run I receive this message until I remove the cert from the client and Puppet CA. Once it is created a second time then all works normally from that point on.
Out on second run (unsuccessful)
Error: Could not request certificate: The certificate retrieved from the master does not match the agent’s private key.
Certificate fingerprint: E8:FA:EF:AB:0F:D6:46:C4:DE:14:1D:AF:19:A4:0D:37:2E:37:3A:8D:CB:D0:D5:16:02:D0:B1:68:10:27:2F:28
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
puppet cert clean asbtest0003.corp.dvn.com
On the agent:
1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name asbtest0003.corp.dvn.com.pem -delete
1b. On Windows: del “\etc\puppetlabs\puppet\ssl\certs\asbtest0003.corp.dvn.com.pem” /f
2. puppet agent -t
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: The certificate retrieved from the master does not match the agent’s private key.
Certificate fingerprint: E8:FA:EF:AB:0F:D6:46:C4:DE:14:1D:AF:19:A4:0D:37:2E:37:3A:8D:CB:D0:D5:16:02:D0:B1:68:10:27:2F:28
To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certificate.
On the master:
puppet cert clean asbtest0003.corp.dvn.com
On the agent:
1a. On most platforms: find /etc/puppetlabs/puppet/ssl -name asbtest0003.corp.dvn.com.pem -delete
1b. On Windows: del “\etc\puppetlabs\puppet\ssl\certs\asbtest0003.corp.dvn.com.pem” /f
2. puppet agent -t
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using ‘eval_generate’: SSL_CTX_use_PrivateKey: key values mismatch
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_CTX_use_PrivateKey: key values mismatch
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using ‘eval_generate’: SSL_CTX_use_PrivateKey: key values mismatch
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_CTX_use_PrivateKey: key values mismatch
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_CTX_use_PrivateKey: key values mismatch
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_CTX_use_PrivateKey: key values mismatch
All works if I do a Puppet run without create the host in Foreman first, but the host isn’t configured for the role, location, etc. so the whole run can’t be completed.
Any ideas as to what might be happening?
Thanks,
Cassuis
