I need to regenerate my security certificates between my master and agents. Approaching it from one agent at a time, I ran
puppet cert clean "puppetagent" on the master.
Then, on the agent, I removed the ssl directory with
rm -rf /etc/puppetlabs/puppet/ssl
Next, I ran
puppet agent -t and got the following, expected, output:
Info: Creating a new SSL key for puppetagent Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for puppetagent Info: Certificate Request fingerprint (SHA256): [CERTIFICATE FINGERPRINT] Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled
Back on the master, I ran
puppet cert list --all and got again what I expected:
"puppetagent" (SHA256) [SAME CERTIFICATE FINGERPRINT]
So I signed the cert with
puppet cert sign "puppetagent"
Notice: Signed certificate request for puppetagent Notice: Removing file Puppet::SSL::CertificateRequest puppetagent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppetagent.pem'
This should be all there is to it, but when I try to run the agent on the agent again, I get this:
Info: Caching certificate for puppetagent Info: Caching certificate_revocation_list for ca Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster] Exiting; failed to retrieve certificate and waitforcert is disabled
(Where "puppetmaster" is the hostname of my puppetmaster, naturally.)
What step am I missing to completely regenerate the certificates?