BAD: keys did not match
# cfagent -qIK ... cfengine:mrpmmds012: BAD: keys did not match
cfservd on the policyserver was correctly configured. My cfengine client was listed in AllowConnectionsFrom and TrustKeysFrom. I also allow the policyserver's public cfengine key to be copied to /var/cfengine/ppkeys on the client.
# For boostrapping cfengine clients /var/cfengine/ppkeys/localhost.pub server=$(policyhost) dest=/var/cfengine/ppkeys/root-$(policyhost).pub mode=600 owner=root group=root trustkey=true
So what was the problem? To find out, run cfagent in debug mode.
# cfagent -qIK -d1 ... IPV4 address sockaddr_ntop(10.205.0.66) Identifying this agent as 10.205.0.66 i.e. mrpmmds012.example.com, with signature 0 IsIPV6Address(mrpmmap010.prd.mrds.unix.example.com) SENT:::CAUTH 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com root 0
It turns out that this system is mrpmmds012.example.com in DNS and mrpmmap010.prd.mrds.unix.example.com in the LDAP hosts database.
$ getent ipnodes mrpmmds012.example.com 10.205.0.66 mrpmmds012.example.com loghost $ getent ipnodes 10.205.0.66 10.205.0.66 mrpmmap010.prd.mrds.unix.example.com mrpmmap010.example.com
# Note that IPv4 addresses are searched for in all of the ipnodes databases # before searching the hosts databases. ipnodes: ldap [NOTFOUND=return] files
This forward/reverse mismatch causes problems with cfengine authentication. As a fix, remove or correct the entry in the LDAP hosts database.