Bug #1295
puppetca fails if no certificate exists
| Status: | New | Start: | 11/03/2011 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | Puppet | |||
| Target version: | Foreman - Bug scrub | |||
| Backlog: | No | Difficulity: | ||
| Votes: | 2 (View) |
Description
When provisioning a new system the puppetca on my proxy would fail when a certificate did not exist.
D, [2011-11-02T20:30:34.128187 #23302] DEBUG -- : Executing /usr/bin/sudo -S /usr/sbin/puppetca --clean host.domain.tld W, [2011-11-02T20:30:34.721068 #23302] WARN -- : Failed to run puppetca: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key E, [2011-11-02T20:30:34.721437 #23302] ERROR -- : Failed to remove certificate(s) for cllalynx.tamu.edu: Execution of puppetca failed, check log files
With Puppet 2.6.12 I found that puppetca --clean still reports a failure if the certificate is not found. The only way to generate the same text that the smart-proxy code looks for is to run a puppetca --verify.
I have attached a patch to first verify if a certificate exists before attempting to run the clean. Tested on 0.3 rc2.
History
Updated by Ohad Levy over 1 year ago
I'm not 100% sure why this is required.
I mean, why would a clean operation fail ?
Updated by Greg Sutcliffe 6 months ago
- Target version set to Bug scrub
Updated by Dominic Cleal 6 months ago
This looks a bit like the master warning that its own certificate is not matching the private key, since it wouldn't have access to another host's private key. The --verify that was run would probably be testing the same (its own key/cert).
I think this is a master config problem, not simply that a certificate doesn't exist.
