Remove certificate requests
7,650 views
Skip to first unread message
Tim Bishop
Dec 14, 2012, 12:43:12 PM12/14/12
to puppet...@googlegroups.com
Hi,
I've got some certificate requests on my puppet master that I wish to
remove. It looks like the "puppet cert" tool doesn't have an option for
doing that? What's the best approach, just manually remove them from the
puppet/ssl/ca/requests directory?
Tim.
--
Tim Bishop
http://www.bishnet.net/tim/
PGP Key: 0x5AE7D984
I've got some certificate requests on my puppet master that I wish to
remove. It looks like the "puppet cert" tool doesn't have an option for
doing that? What's the best approach, just manually remove them from the
puppet/ssl/ca/requests directory?
Tim.
--
Tim Bishop
http://www.bishnet.net/tim/
PGP Key: 0x5AE7D984
Ellison Marks
Dec 14, 2012, 1:33:30 PM12/14/12
to puppet...@googlegroups.com
Does puppet cert clean not do it?
Tim Bishop
Dec 14, 2012, 4:14:54 PM12/14/12
to puppet...@googlegroups.com
Nope:
puppetmaster# puppet cert list
"fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
Looks like it only cleans signed certificates, not requests.
Tim.
On Fri, Dec 14, 2012 at 10:33:30AM -0800, Ellison Marks wrote:
> Does puppet cert clean not do it?
>
> On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:
> > I've got some certificate requests on my puppet master that I wish
> > to remove. It looks like the "puppet cert" tool doesn't have an
> > option for doing that? What's the best approach, just manually
> > remove them from the puppet/ssl/ca/requests directory?
puppetmaster# puppet cert list
"fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
Looks like it only cleans signed certificates, not requests.
Tim.
On Fri, Dec 14, 2012 at 10:33:30AM -0800, Ellison Marks wrote:
> Does puppet cert clean not do it?
>
> On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:
> > I've got some certificate requests on my puppet master that I wish
> > to remove. It looks like the "puppet cert" tool doesn't have an
> > option for doing that? What's the best approach, just manually
> > remove them from the puppet/ssl/ca/requests directory?
Ellison Marks
Dec 14, 2012, 7:53:42 PM12/14/12
to puppet...@googlegroups.com
You might try puppet cert print to get more info about the thing, but out of curiosity, how did it get on your master in the first place?
Tim Bishop
Dec 15, 2012, 7:17:02 AM12/15/12
to puppet...@googlegroups.com
I've been testing Razor and ended up with a bunch of requests from test
machines that I didn't sign and didn't need any more.
"puppet cert print" again fails because there's no certificate, only a
request.
Anyway, to answer my own question, I just needed to remove the requests
from the puppet/ssl/ca/requests directory.
Tim.
On Fri, Dec 14, 2012 at 04:53:42PM -0800, Ellison Marks wrote:
> You might try puppet cert print to get more info about the thing, but
> out of curiosity, how did it get on your master in the first place?
>
> On Friday, December 14, 2012 1:14:54 PM UTC-8, Tim Bishop wrote:
> > Nope:
> >
> > puppetmaster# puppet cert list
> > "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
> >
> > puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
> > Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
> >
> > Looks like it only cleans signed certificates, not requests.
> >
machines that I didn't sign and didn't need any more.
"puppet cert print" again fails because there's no certificate, only a
request.
Anyway, to answer my own question, I just needed to remove the requests
from the puppet/ssl/ca/requests directory.
Tim.
On Fri, Dec 14, 2012 at 04:53:42PM -0800, Ellison Marks wrote:
> You might try puppet cert print to get more info about the thing, but
> out of curiosity, how did it get on your master in the first place?
>
> On Friday, December 14, 2012 1:14:54 PM UTC-8, Tim Bishop wrote:
> > Nope:
> >
> > puppetmaster# puppet cert list
> > "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
> >
> > puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
> > Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
> >
> > Looks like it only cleans signed certificates, not requests.
> >
Calvin Walton
Dec 21, 2012, 3:59:49 PM12/21/12
to puppet...@googlegroups.com
On Fri, 2012-12-14 at 21:14 +0000, Tim Bishop wrote:
> Nope:
>
> puppetmaster# puppet cert list
> "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
>
> puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
> Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
>
> Looks like it only cleans signed certificates, not requests.
I think this is actually a bug, has any one reported it on the issue
> Nope:
>
> puppetmaster# puppet cert list
> "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
>
> puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
> Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664
>
> Looks like it only cleans signed certificates, not requests.
tracking system yet?
'puppet cert clean' used to work to clean unsigned certificates in
puppet 2.7, but no longer does in 3.0
--
Calvin Walton <calvin...@kepstin.ca>
Bass D'Phar
Aug 27, 2013, 4:40:20 AM8/27/13
to puppet...@googlegroups.com
Hi.
A workaround that does the job:
puppetmaster# puppet cert sign fb311ff01c6f0130b650005056bc6664 ; puppet cert clean fb311ff01c6f0130b650005056bc6664
--
Jan Møller
robert....@goodpoint.de
Mar 11, 2014, 9:53:15 AM3/11/14
to puppet...@googlegroups.com
I could not find any issue yet, so I have created https://tickets.puppetlabs.com/browse/PUP-1916
Cheers,
Robert
Message has been deleted
Felix Frank
Apr 8, 2014, 8:01:14 AM4/8/14
to puppet...@googlegroups.com
Hi,
this approach to working around the issue is pretty horrible IMHO. I
would recommend to go ahead and use Tim's approach of just removing the
CSR files manually. That is both less error prone and more secure.
Regards,
Felix
On 04/07/2014 07:35 PM, Leon Springer wrote:
> I created a quick script to workaround the issue until the bug is fixed.
> Replace the grep with the host(s) you want to target.
> -------
> #!/bin/bash
>
> for OUTPUT in $(puppet cert list | awk '{FS=" ";print $1;}' | sed -e
> 's/^"//' -e 's/"$//'| grep -i hostname)
> do
> echo "Removing certificate requests for $OUTPUT"
> puppet cert sign $OUTPUT && sleep 5 && puppet cert clean $OUTPUT
>
> done
this approach to working around the issue is pretty horrible IMHO. I
would recommend to go ahead and use Tim's approach of just removing the
CSR files manually. That is both less error prone and more secure.
Regards,
Felix
On 04/07/2014 07:35 PM, Leon Springer wrote:
> I created a quick script to workaround the issue until the bug is fixed.
> Replace the grep with the host(s) you want to target.
> -------
> #!/bin/bash
>
> for OUTPUT in $(puppet cert list | awk '{FS=" ";print $1;}' | sed -e
> 's/^"//' -e 's/"$//'| grep -i hostname)
> do
> echo "Removing certificate requests for $OUTPUT"
> puppet cert sign $OUTPUT && sleep 5 && puppet cert clean $OUTPUT
>
> done
jcbollinger
Apr 9, 2014, 9:53:10 AM4/9/14
to puppet...@googlegroups.com
On Tuesday, April 8, 2014 7:01:14 AM UTC-5, Felix.Frank wrote:
Hi,
this approach to working around the issue is pretty horrible IMHO. I
would recommend to go ahead and use Tim's approach of just removing the
CSR files manually. That is both less error prone and more secure.
Yes, and if there are enough of these to be tedious/inconvenient, or if you need to do the job often, then it ought to be reasonably simple to write a script to collect the certificate names via "puppet cert list" and convert them directly into 'rm' commands for the certificate request files. That could make it easier on you while still avoiding ever signing the cert requests.
Something along these lines (untested!) might do the trick:
#!/bin/bash
puppet cert list |
while read line; do
head=${line%\"*}
name=${head:1}
rm /var/lib/puppet/ssl/ca/requests/"${name}".pem
done
Or (also untested):
#!/bin/bash
rm_request() {
pems=(${@/%/.pem})
rm ${pems[*]/#/\/var\/lib\/puppet\/ssl\/ca\/requests\/}
}
puppet cert list \
| sed 's/"\([^"]\+\)"/\1/0' \
| xargs rm_request
John
Reply all
Reply to author
Forward
0 new messages