puppet cert reject?

asked 2014-09-17 11:08:10 -0600

DMonTech gravatar image

Currently we run puppet master 3.1.1 We do not autosign certs.

Our process is to manually sign the certs so we know what servers are being added to the master. This is important because we have multiple puppet masters and some times puppet.conf points to the wrong one.

1: Find list of pending certs $ puppet cert list "{fqdn}" (MD5) {MD5str}
2: Sign valid certs to add them to the master $ puppet cert sign {fqdn} Notice: Signed certificate request for {fqdn} Notice: Removing file Puppet::SSL::CertificateRequest {fqdn} at '/var/lib/ puppet/ssl/ca/requests/{fqdn}'

Problem is when we get certs that should not be added to the master there is no option like $ puppet cert reject {fqdn}

If you do clean you get an error $ puppet cert clean {fqdn} Error: Could not find a serial number for {fqdn}

I can sign the cert and immediately clean/revoke it but that seems a little unnecessary.

Another option is to manually go into /var/lib/puppet/ssl/ca/requests/ and delete requests manually.

Long story short. Would be nice to have $ puppet cert reject {fqdn} to remove those requests.

edit retag flag offensive close merge delete