Ask Your Question

Regenerating Certificates

asked 2014-06-03 12:32:09 -0600

michaelk gravatar image

updated 2014-06-03 18:17:45 -0600

Stefan gravatar image

I need to regenerate my security certificates between my master and agents. Approaching it from one agent at a time, I ran puppet cert clean "puppetagent" on the master.

Then, on the agent, I removed the ssl directory with rm -rf /etc/puppetlabs/puppet/ssl

Next, I ran puppet agent -t and got the following, expected, output:

Info: Creating a new SSL key for puppetagent
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetagent
Info: Certificate Request fingerprint (SHA256): [CERTIFICATE FINGERPRINT]
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled

Back on the master, I ran puppet cert list --all and got again what I expected:


So I signed the cert with puppet cert sign "puppetagent"

Notice: Signed certificate request for puppetagent
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppetagent.pem'

This should be all there is to it, but when I try to run the agent on the agent again, I get this:

Info: Caching certificate for puppetagent
Info: Caching certificate_revocation_list for ca
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster]
Exiting; failed to retrieve certificate and waitforcert is disabled

(Where "puppetmaster" is the hostname of my puppetmaster, naturally.)

What step am I missing to completely regenerate the certificates?

edit retag flag offensive close merge delete


Extra piece of information: When I run "puppet cert clean puppetagent" on the master. it returns "Notice: Revoked certificate with serial 29". Running it again yields the same result, so it's like it's not actually even getting removed.

michaelk gravatar imagemichaelk ( 2014-06-03 12:52:22 -0600 )edit

In my case, removing /etc/puppetlabs/puppet/ssl/certificate_requests/* on the client resolved the "Puppet: Exiting; no certificate found and waitforcert is disabled" error and the next agent run re-created the request on the master. This article is pretty clear: :)

AXE-Labs gravatar imageAXE-Labs ( 2015-08-14 16:07:22 -0600 )edit

2 Answers

Sort by » oldest newest most voted

answered 2014-06-05 22:17:40 -0600

rcosta gravatar image

Check this link, they have some errors explained:

edit flag offensive delete link more


do you mean puppet needs to uninstall or certificate?

kailas kadam gravatar imagekailas kadam ( 2015-08-13 05:21:10 -0600 )edit

answered 2014-06-05 08:36:07 -0600

michaelk gravatar image

The only solution I was able to come up with was to completely uninstall with the "-pd" option to clear everything, and then reinstall.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools



Asked: 2014-06-03 12:32:09 -0600

Seen: 17,767 times

Last updated: Jun 05 '14