The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
Agent retrieving a cert with an already used certname gets error
|Affected Puppet version:||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
This ticket may be automatically exported to the PUP project on JIRA using the button below:
If agent ‘foo’ already has already received a signed cert back from the Puppet CA, and then a second agent asks for a cert with the certname ‘foo’ you get the following:
/Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:166:in `certificate' /Users/matthewrobinson/work/puppet/lib/puppet/ssl/host.rb:227:in `wait_for_cert' /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:194:in `setup_host' /Users/matthewrobinson/work/puppet/lib/puppet/application/agent.rb:259:in `setup' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:420:in `hook' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:411:in `exit_on_fail' /Users/matthewrobinson/work/puppet/lib/puppet/application.rb:304:in `run' /Users/matthewrobinson/work/puppet/sbin/puppetd:4 err: Could not request certificate: Retrieved certificate does not match private key; please remove certificate from server and regenerate it with the current key
However, if you manually generate certificate request using either the new face ‘puppet certificate generate
hostname —ca-location remote —server Name_of_Puppet_Master’ or curl (haven’t actually tested with curl, but it’s basically the same as the face), you’re allowed to make a new CSR with the same name as a cert that’s already signed.
The question here seems to be, should the agent be fixed to allow this kind of behavior since it’s possible with more manual means?
#2 Updated by Nigel Kersten almost 3 years ago
- Status changed from Needs Decision to Accepted
- Assignee changed from Nigel Kersten to Matt Robinson
I’m assuming we’re talking about situations only where allow_duplicate_certs is on. If so, then we should fix the agent to allow this behavior. Does that answer it sufficiently Matt?