Unable to generate certificate on Puppet Agent through Master

[Ajeet Raina]

Hi,

I have a puppet master and agent installed. I want to generate and configure master-agent certificate and followed the steps:

    Master:
    ==========
    1. Cleaned up all certificate on Master:
    
    [root@puppet-server manifests]# puppet cert sign --all
    No waiting certificate requests to sign
    [root@puppet-server manifests]# puppet cert clean --all
    notice: Revoked certificate with serial 16
    notice: Removing file Puppet::SSL::Certificate puppet-client.test.com at '/var/lib/puppet/ssl/ca/signed/puppet-client.test.com.pem'
    notice: Removing file Puppet::SSL::Certificate puppet-client.test.com at '/var/lib/puppet/ssl/certs/puppet-client.test.com.pem'
    [root@puppet-server manifests]# puppet cert clean --all
    [root@puppet-server manifests]#
    
    2. Removed all ssl/* from Agent
    
    [root@puppet-client yum.repos.d]# rm -fr /var/lib/puppet/ssl/*
    [root@puppet-client yum.repos.d]# cd /var/lib/puppet/ssl/
    [root@puppet-client ssl]# ls
    [root@puppet-client ssl]#
    
    3. Generating Certificate from Agent:
    
    [root@puppet-client ssl]# puppet agent --test --verbose --server puppet-server.test.com
    info: Creating a new SSL key for puppet-client.test.com
    info: Caching certificate for ca
    info: Creating a new SSL certificate request for puppet-client.test.com
    info: Certificate Request fingerprint (md5): AC:EA:5B:B7:C6:A5:94:CE:26:1A:49:9E:F3:B1:EF:B1
    Exiting; no certificate found and waitforcert is disabled
    [root@puppet-client ssl]#
    
    4. Accepting it through Master:
    
    [root@puppet-server manifests]# puppetca -l
      "puppet-client.test.com" (AC:EA:5B:B7:C6:A5:94:CE:26:1A:49:9E:F3:B1:EF:B1)
    [root@puppet-server manifests]#
    [root@puppet-server manifests]# puppet cert sign --all
    notice: Signed certificate request for puppet-client.test.com
    notice: Removing file Puppet::SSL::CertificateRequest puppet-client.test.com at '/var/lib/puppet/ssl/ca/requests/puppet-client.test.com.pem'
    [root@puppet-server manifests]#
    
    Well going.
    
    5.[root@puppet-client ssl]# puppet agent --test --verbose --server puppet-server.test.com
    info: Caching certificate for puppet-client.test.com
    info: Caching certificate_revocation_list for ca
    err: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppet-server.test.com]
    warning: Not using cache on failed catalog
    err: Could not retrieve catalog; skipping run
    err: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppet-server.test.com]
    [root@puppet-client ssl]#
    
I tried to remove all the certificate from agent manually /var/lib/puppet/ssl/* but things dint fix the issue.
I also tried to generate the certificate on server through :

puppet agent --test --server=`hostname`

and then performed all the steps above. No Luck with this too.

How to fix this issue?

[Ashish Jaiswal]

Hi..

Can you check date and time on both master and agent.. it should be in sync with master..

Regards,
Ashish Jaiswal

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/ftT-TXdZQkEJ.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

[RedJinnee]

By default the client request the revocation list from the master, you can disable that by setting it's property to false.

in puppet.conf add

    certificate_revocation = false

then, puppet agent -t 

hope this helps.

On Tuesday, December 18, 2012 7:05:43 AM UTC-5, Vishal Asai wrote:

Hi Ajeet,

Did you find any work around this issue?

I am having exactly the same issue and I tried all possible ways to fix it but didn't get any success.

Please let me know.  Thanks in advance.

Cheers.

[Dan Hyatt]

I am running into the same problem and it just dawned on me that Solaris might put it in another directory, the master is redhat, the clients are Solaris.

What would change for a solaris certificate?

[Dan Hyatt]

I got mine solved...on puppet labs enterprise edition..

On each  Client which is not connecting right …giving that error on puppet agent -t

 cd /etc/puppetlabs/puppet/ ssl

  rm -rf ca certs public_keys certificate_requsts private_keys  # make sure all files removed from SSL dir

 puppet agent –t  # this will run a few minutes the first time.

 THEN On server:
puppet cert clean  p11.mync.com

   puppet cert list 

   cd /etc/init.d/

./pe-httpd restart

   puppet cert list

   puppet cert sign –a   # if you recognize all the servers in your cert list.

[Brendan Murtagh]

To add on to Dan's steps which I used as a base. For PE 2.8.3, I had to do:

(AGENT) sudo rm -rf /etc/puppetlabs/puppet/ssl/*

(MASTER) puppet cert clean myserver.domain.com

(AGENT) sudo puppet agent -t

 

(MASTER) puppet cert list # confirmed new request was pending

(MASTER) sudo /etc/init.d/pe-httpd restart

(MASTER) puppet cert list # confirm request is STILL pending

(MASTER) puppet cert sign -a # sign all pending requests