This CA bundle is located at puppet master --confdir=$PUPPET_CONFDIR --configprint localcacert
and contains CA certs in the following order:
- Root CA
- Signing CA
- Puppet Master CA 1
- Puppet Master CA 2
The following error may be resolved by changing the CA certificate order in the bundle to be:
- Puppet Master CA 2
- Root CA
- Signing CA
- Puppet Master CA 1
Where Puppet Master 2 is the master being brought online.
$ puppet master --confdir=$PUPPET_CONFDIR --verbose --no-daemonize --trace /workspace/yak/src/puppet/lib/puppet/ssl/host.rb:211:in `validate_certificate_with_key' /workspace/yak/src/puppet/lib/puppet/ssl/host.rb:202:in `certificate' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:245:in `setup' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:169:in `initialize' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:41:in `new' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:41:in `singleton_instance' /Users/jeff/.rvm/rubies/ruby-1.8.7-p358/lib/ruby/1.8/monitor.rb:242:in `synchronize' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:40:in `singleton_instance' /workspace/yak/src/puppet/lib/puppet/ssl/certificate_authority.rb:64:in `instance' /workspace/yak/src/puppet/lib/puppet/application/master.rb:240:in `setup' /workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run' /workspace/yak/src/puppet/lib/puppet/application.rb:416:in `hook' /workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run' /workspace/yak/src/puppet/lib/puppet/application.rb:407:in `exit_on_fail' /workspace/yak/src/puppet/lib/puppet/application.rb:307:in `run' /workspace/yak/src/puppet/lib/puppet/util/command_line.rb:69:in `execute' /workspace/yak/src/puppet/bin/puppet:4 Could not prepare for execution: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: A4:1D:6F:CC:20:9F:DB:A7:C1:23:F6:6D:A8:70:45:5A To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a certficate. On the master: puppet cert clean maynard2 On the agent: rm -f /workspace/yak/etc/puppet.27_chain2/var.master/ssl/certs/maynard2.pem puppet agent -t
The agent need only have a pre-populated puppet agent --confdir=$PUPPET_CONFDIR --configprint localcacert
file containing the "normal" bundle ordering of:
- Root CA
- Signing CA
- Puppet Master CA 1
- Puppet Master CA 2