puppet certificate fingerprint changed before and after signature? The 2019 Stack Overflow Developer Survey Results Are InPuppetmaster don't notice changes to site.pppuppet not signing cert or getting new requestsCreating user accounts with Puppet?Running commands in bash for puppetmasterWhat causes the error “Could not retrieve catalog from remote server: execution expired” in PuppetPuppet and windowsfeature - Boolean ErrorLVM module from puppet forge randomly breaks applying manifestPuppet noob, stuck on the same error for hourspuppet could not find class roles::webserverPuppet master with different hostname/fqdn
Did Scotland spend $250,000 for the slogan "Welcome to Scotland"?
Old scifi movie from the 50s or 60s with men in solid red uniforms who interrogate a spy from the past
How do PCB vias affect signal quality?
Did any laptop computers have a built-in 5 1/4 inch floppy drive?
RequirePermission not working
Deal with toxic manager when you can't quit
What information about me do stores get via my credit card?
Is there a way to generate a uniformly distributed point on a sphere from a fixed amount of random real numbers?
What to do when moving next to a bird sanctuary with a loosely-domesticated cat?
What could be the right powersource for 15 seconds lifespan disposable giant chainsaw?
What is the motivation for a law requiring 2 parties to consent for recording a conversation
Why couldn't they take pictures of a closer black hole?
Why didn't the Event Horizon Telescope team mention Sagittarius A*?
Cooking pasta in a water boiler
Is it ethical to upload a automatically generated paper to a non peer-reviewed site as part of a larger research?
Match Roman Numerals
What does Linus Torvalds mean when he says that Git "never ever" tracks a file?
Can you cast a spell on someone in the Ethereal Plane, if you are on the Material Plane and have the True Seeing spell active?
How can I have a shield and a way of attacking with a ranged weapon at the same time?
Why doesn't shell automatically fix "useless use of cat"?
Falsification in Math vs Science
What is the meaning of Triage in Cybersec world?
How do I free up internal storage if I don't have any apps downloaded?
How to notate time signature switching consistently every measure
puppet certificate fingerprint changed before and after signature?
The 2019 Stack Overflow Developer Survey Results Are InPuppetmaster don't notice changes to site.pppuppet not signing cert or getting new requestsCreating user accounts with Puppet?Running commands in bash for puppetmasterWhat causes the error “Could not retrieve catalog from remote server: execution expired” in PuppetPuppet and windowsfeature - Boolean ErrorLVM module from puppet forge randomly breaks applying manifestPuppet noob, stuck on the same error for hourspuppet could not find class roles::webserverPuppet master with different hostname/fqdn
.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;
I am getting quite a weird trouble here with my puppet configuration.
On client and server (debian-squeeze), same version of puppet, clock synchronized.
Things were going great until I decided to install puppet-dashboard, I don't know at which step this lead to a failure, but here are the symptoms:
I have no certificate between the client and the server; I create on on client side which I send to server through this command:
puppetd --test --waitforcert 50
on the server side:
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
dev.goeland.lan (53:C8:AE:21:F0:64:FC:B8:7C:AD:7F:7A:1C:80:B0:4C)
root@puppet:/var/lib/puppet/ssl# puppetca -s dev.goeland.lan
notice: Signed certificate request for dev.goeland.lan
notice: Removing file Puppet::SSL::CertificateRequest dev.goeland.lan at '/var/lib/puppet/ssl/ca/requests/dev.goeland.lan.pem'
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
+ dev.goeland.lan (FC:1A:E5:1F:D7:A3:C4:4A:B6:1A:7F:C6:4A:6E:07:55)
root@puppet:/var/lib/puppet/ssl#
First, I don't understand why the fingerprint changes : before being signed, the certificate is like *:4C, and it turns into *.55. Maybe this is a correct behavior?
Then, from client:
root@dev:/var/lib/puppet/ssl# puppetd --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for dev.goeland.lan
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
root@dev:/var/lib/puppet/ssl#
Client refuses server certificate, while it has just been signed a the previous step!
Can anyone help me on this one?
Thanks a lot!
ssl-certificate puppet puppetmaster
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
add a comment |
I am getting quite a weird trouble here with my puppet configuration.
On client and server (debian-squeeze), same version of puppet, clock synchronized.
Things were going great until I decided to install puppet-dashboard, I don't know at which step this lead to a failure, but here are the symptoms:
I have no certificate between the client and the server; I create on on client side which I send to server through this command:
puppetd --test --waitforcert 50
on the server side:
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
dev.goeland.lan (53:C8:AE:21:F0:64:FC:B8:7C:AD:7F:7A:1C:80:B0:4C)
root@puppet:/var/lib/puppet/ssl# puppetca -s dev.goeland.lan
notice: Signed certificate request for dev.goeland.lan
notice: Removing file Puppet::SSL::CertificateRequest dev.goeland.lan at '/var/lib/puppet/ssl/ca/requests/dev.goeland.lan.pem'
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
+ dev.goeland.lan (FC:1A:E5:1F:D7:A3:C4:4A:B6:1A:7F:C6:4A:6E:07:55)
root@puppet:/var/lib/puppet/ssl#
First, I don't understand why the fingerprint changes : before being signed, the certificate is like *:4C, and it turns into *.55. Maybe this is a correct behavior?
Then, from client:
root@dev:/var/lib/puppet/ssl# puppetd --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for dev.goeland.lan
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
root@dev:/var/lib/puppet/ssl#
Client refuses server certificate, while it has just been signed a the previous step!
Can anyone help me on this one?
Thanks a lot!
ssl-certificate puppet puppetmaster
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
1
I could tell from the commands you used. The newer versions have a single executable with subcommands, likepuppet agent --test,puppet master,puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.
– Martijn Heemels
Apr 20 '12 at 14:38
add a comment |
I am getting quite a weird trouble here with my puppet configuration.
On client and server (debian-squeeze), same version of puppet, clock synchronized.
Things were going great until I decided to install puppet-dashboard, I don't know at which step this lead to a failure, but here are the symptoms:
I have no certificate between the client and the server; I create on on client side which I send to server through this command:
puppetd --test --waitforcert 50
on the server side:
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
dev.goeland.lan (53:C8:AE:21:F0:64:FC:B8:7C:AD:7F:7A:1C:80:B0:4C)
root@puppet:/var/lib/puppet/ssl# puppetca -s dev.goeland.lan
notice: Signed certificate request for dev.goeland.lan
notice: Removing file Puppet::SSL::CertificateRequest dev.goeland.lan at '/var/lib/puppet/ssl/ca/requests/dev.goeland.lan.pem'
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
+ dev.goeland.lan (FC:1A:E5:1F:D7:A3:C4:4A:B6:1A:7F:C6:4A:6E:07:55)
root@puppet:/var/lib/puppet/ssl#
First, I don't understand why the fingerprint changes : before being signed, the certificate is like *:4C, and it turns into *.55. Maybe this is a correct behavior?
Then, from client:
root@dev:/var/lib/puppet/ssl# puppetd --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for dev.goeland.lan
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
root@dev:/var/lib/puppet/ssl#
Client refuses server certificate, while it has just been signed a the previous step!
Can anyone help me on this one?
Thanks a lot!
ssl-certificate puppet puppetmaster
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
I am getting quite a weird trouble here with my puppet configuration.
On client and server (debian-squeeze), same version of puppet, clock synchronized.
Things were going great until I decided to install puppet-dashboard, I don't know at which step this lead to a failure, but here are the symptoms:
I have no certificate between the client and the server; I create on on client side which I send to server through this command:
puppetd --test --waitforcert 50
on the server side:
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
dev.goeland.lan (53:C8:AE:21:F0:64:FC:B8:7C:AD:7F:7A:1C:80:B0:4C)
root@puppet:/var/lib/puppet/ssl# puppetca -s dev.goeland.lan
notice: Signed certificate request for dev.goeland.lan
notice: Removing file Puppet::SSL::CertificateRequest dev.goeland.lan at '/var/lib/puppet/ssl/ca/requests/dev.goeland.lan.pem'
root@puppet:/var/lib/puppet/ssl# puppetca --list --all
+ dev.goeland.lan (FC:1A:E5:1F:D7:A3:C4:4A:B6:1A:7F:C6:4A:6E:07:55)
root@puppet:/var/lib/puppet/ssl#
First, I don't understand why the fingerprint changes : before being signed, the certificate is like *:4C, and it turns into *.55. Maybe this is a correct behavior?
Then, from client:
root@dev:/var/lib/puppet/ssl# puppetd --test
warning: peer certificate won't be verified in this SSL session
info: Caching certificate for dev.goeland.lan
err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
root@dev:/var/lib/puppet/ssl#
Client refuses server certificate, while it has just been signed a the previous step!
Can anyone help me on this one?
Thanks a lot!
ssl-certificate puppet puppetmaster
ssl-certificate puppet puppetmaster
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
asked Apr 19 '12 at 21:34
philippephilippe
1,23022141
1,23022141
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
1
I could tell from the commands you used. The newer versions have a single executable with subcommands, likepuppet agent --test,puppet master,puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.
– Martijn Heemels
Apr 20 '12 at 14:38
add a comment |
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
1
I could tell from the commands you used. The newer versions have a single executable with subcommands, likepuppet agent --test,puppet master,puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.
– Martijn Heemels
Apr 20 '12 at 14:38
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
1
1
I could tell from the commands you used. The newer versions have a single executable with subcommands, like
puppet agent --test, puppet master, puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.– Martijn Heemels
Apr 20 '12 at 14:38
I could tell from the commands you used. The newer versions have a single executable with subcommands, like
puppet agent --test, puppet master, puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.– Martijn Heemels
Apr 20 '12 at 14:38
add a comment |
1 Answer
1
active
oldest
votes
The first fingerprint is that of the request. This should match the fingerprint on the client side, which puppet also prints in more recent versions.
After puppetca signs the request it deletes it (you can see it in the output) and the second fingerprint is that of the signed request.
The changing fingerprint is not the problem you are having. Most likely the clocks of the two machines are not in sync. Check the time on both machines and set the time of the client to something that is within a minute of the puppet master. And of course, make sure puppet configures ntpd for you.
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
add a comment |
Your Answer
StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);
else
createEditor();
);
function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);
);
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f381324%2fpuppet-certificate-fingerprint-changed-before-and-after-signature%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
The first fingerprint is that of the request. This should match the fingerprint on the client side, which puppet also prints in more recent versions.
After puppetca signs the request it deletes it (you can see it in the output) and the second fingerprint is that of the signed request.
The changing fingerprint is not the problem you are having. Most likely the clocks of the two machines are not in sync. Check the time on both machines and set the time of the client to something that is within a minute of the puppet master. And of course, make sure puppet configures ntpd for you.
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
add a comment |
The first fingerprint is that of the request. This should match the fingerprint on the client side, which puppet also prints in more recent versions.
After puppetca signs the request it deletes it (you can see it in the output) and the second fingerprint is that of the signed request.
The changing fingerprint is not the problem you are having. Most likely the clocks of the two machines are not in sync. Check the time on both machines and set the time of the client to something that is within a minute of the puppet master. And of course, make sure puppet configures ntpd for you.
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
add a comment |
The first fingerprint is that of the request. This should match the fingerprint on the client side, which puppet also prints in more recent versions.
After puppetca signs the request it deletes it (you can see it in the output) and the second fingerprint is that of the signed request.
The changing fingerprint is not the problem you are having. Most likely the clocks of the two machines are not in sync. Check the time on both machines and set the time of the client to something that is within a minute of the puppet master. And of course, make sure puppet configures ntpd for you.
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
The first fingerprint is that of the request. This should match the fingerprint on the client side, which puppet also prints in more recent versions.
After puppetca signs the request it deletes it (you can see it in the output) and the second fingerprint is that of the signed request.
The changing fingerprint is not the problem you are having. Most likely the clocks of the two machines are not in sync. Check the time on both machines and set the time of the client to something that is within a minute of the puppet master. And of course, make sure puppet configures ntpd for you.
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
answered Sep 27 '12 at 16:55
chutzchutz
6,1791947
6,1791947
add a comment |
add a comment |
Thanks for contributing an answer to Server Fault!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f381324%2fpuppet-certificate-fingerprint-changed-before-and-after-signature%23new-answer', 'question_page');
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
A side note: Is there a reason you're running such an old version of Puppet? The newer versions have a ton of bugfixes, and a much improved command-line interface.
– Martijn Heemels
Apr 19 '12 at 21:40
Waoo! How can you know my version of puppet? Indeed I have installed puppet with my package manager which could provide older versions than the most recent ones. Thanks for your answer, I will upgrade anyway my version of puppet (by installing from gem, I think) and come back on this. But this still doesn't explain why these fingerprints are different, and why the installation (again with aptitude) of pouppet-dashboard has broken the certificate verification :/
– philippe
Apr 20 '12 at 7:48
1
I could tell from the commands you used. The newer versions have a single executable with subcommands, like
puppet agent --test,puppet master,puppet ca list, etc. If you prefer packages over gems, Puppet Labs has official apt and yum repos available. I'm sorry that I don't know the answer to your fingerprint question. If you don't find an answer here, you could also ask on IRC.– Martijn Heemels
Apr 20 '12 at 14:38