Trouble adding client to Master -Not using expired certificate for ca from cache
183 views
Skip to first unread message
Veera Mani
Jul 19, 2019, 1:47:29 AM7/19/19
to Puppet Users
Hi,
I am running puppet-server-2.7.25-1.el5 and puppet-2.7.20-1.el6.rf.noarch clients.
A puppet client which is running for more than 5 years is rebuild and while adding the server to the puppet infrastructure again , we are facing the below error.
The client is properly removed from the master before it is re-built.
But still while adding the server back , the error occurs.
running on Jul19 ..
[root@client1 setup]# puppet agent --server wfpuppet.example.com --waitforcert 60 --testinfo: Creating a new SSL key for client1.example.cominfo: Caching certificate for cainfo: Creating a new SSL certificate request for client1.example.cominfo: Certificate Request fingerprint (md5): CE:73:92:B6:37:76:52:57:45:86:C5:D8:68:22:3F:A0info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Caching certificate for cainfo: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Caching certificate for cainfo: Caching certificate for client1.example.cominfo: Retrieving plugininfo: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at................... Truncated ......................................err: Could not retrieve catalog from remote server: Thread(#<Thread:0x7f275f7ca370 run>) not locked.warning: Not using cache on failed catalogerr: Could not retrieve catalog; skipping runinfo: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019info: Not using expired certificate for ca from cache; expired at Tue Jul 16 19:12:20 UTC 2019....................Truncated ................................err: Could not request certificate: stack level too deep
The configuration remains the same as in any client which is working fine. Still facing the error?
Is puppet master caching the expired certificate from cache ?
"expired certificate for ca from cache;"
I have followed the below puppet docs :
Martin Alfke
Jul 20, 2019, 6:11:29 AM7/20/19
to puppet...@googlegroups.com
Hi Veera,
Puppet Server process generates a CA upon first start.
The CA will be put into place with a default validity of 5 years.
You can verify the CA using openssl default commands to read CA information in human readable format.
Besides this: Puppet 2.7 is super outdated you should consider upgrading Puppet on a fresh server which will then have a new CA with new validity.
Best,
Martin
> --
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e29c37cd-4d69-44a6-b51f-5eefaccff99f%40googlegroups.com.
Puppet Server process generates a CA upon first start.
The CA will be put into place with a default validity of 5 years.
You can verify the CA using openssl default commands to read CA information in human readable format.
Besides this: Puppet 2.7 is super outdated you should consider upgrading Puppet on a fresh server which will then have a new CA with new validity.
Best,
Martin
> You received this message because you are subscribed to the Google Groups "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e29c37cd-4d69-44a6-b51f-5eefaccff99f%40googlegroups.com.
Veera Mani
Jul 24, 2019, 9:12:16 AM7/24/19
to Puppet Users
Hi Martin,
Thanks for the details.
Later this post, i realized that the server certificate is expired and need renewal.
When I open this post I was in an assumption that the certificate on the client is a problem .
Planning to upgrade and renew the certificate in the server and re-register the client s.
> To unsubscribe from this group and stop receiving emails from it, send an email to puppet...@googlegroups.com.
Reply all
Reply to author
Forward
0 new messages