Ask Your Question

no new certificate generated

asked 2015-02-11 13:52:45 -0600

dmuller gravatar image

I'm just getting started with connecting a collection of CentOS linux 5,6 & 7 to a new puppet-master, actually the one bundled with Foreman , (and I've been learning a lot).

I have found a known issue where my puppet-master is requiring sha256 digests be used on certs however some of the stock clients by default use MD5. OK, so I know how to add the Puppet Labs repo to my machines and gain updated clients, HOWEVER there is another known issue with puppet-master affecting deletion of certificate requests.

The situation I'm running into is:

  1. A stock RHEL5 client runs "puppet agent --test", generates a new cert req. using the MD5 digest.
  2. On the master I pick up the req. but I can only list it, I cannot clear it. (if I clear ALL it will go away, along with my entire deployment).
  3. I manually remove the cert request with 'rm'. remove and install the correct puppet packages on the client.
  4. "puppet agent --test" does not seem to do anything, no new req seen on the puppet-master.

This is how I manually removed the cert req:

[root@4man manifests]# puppet cert list
  "" (MD5) 61:87:21:C9:5A:78:57:F4:1E:B0:17:F3:51:8A:1C:97
[root@4man manifests]# puppet cert clean
Error: Could not find a serial number for
[root@4man manifests]#
[root@4man manifests]# find /var/lib/puppet/ssl/ -name 'anix*'
[root@4man manifests]# rm /var/lib/puppet/ssl/ca/requests/
rm: remove regular file ‘/var/lib/puppet/ssl/ca/requests/’? y
[root@4man manifests]# puppet cert list
[root@4man manifests]#

Currently I run "puppet agent --test --waitforcert 99" and no certificate is received, ( I don't see any errors or other acknowledgement on the puppet-master box).

edit retag flag offensive close merge delete

2 Answers

Sort by » oldest newest most voted

answered 2017-07-24 09:37:03 -0600

bojo gravatar image

sometimes doing things the manual way could be the easiest option. i had the same issue and i resolved it by deleting the ssl dir on client node then removing the the previously signed cert which is usually in <puppet ssl="" ca="" signed=""> dir of the master. you probably would find the client "hostname.pem" . mv it to /tmp. Restart the puppet agent service.

edit flag offensive delete link more

answered 2015-02-12 08:00:24 -0600

dmuller gravatar image

I'm very happy to report I solved this on my own after reading through some other issues tagged ssl.

The problem was that even after removing the old puppet client software the md5 cert request remained.

I removed this manually and everything started working again as expected.

On the client:

[root@anix source]# find /var/lib/puppet/ssl/
[root@anix source]# openssl req -in /var/lib/puppet/ssl/certificate_requests/ -text -verify -noout
verify OK
    Signature Algorithm: md5WithRSAEncryption
[root@anix source]# rm  /var/lib/puppet/ssl/certificate_requests/                                rm: remove regular file `/var/lib/puppet/ssl/certificate_requests/'? y
[root@anix source]# puppet agent --test                                                                                Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for
Info: Certificate Request fingerprint (SHA256): B3:65:34:08:01:AC:43:14:27:73:A0:BB:70:25:6D:94:33:68:09:8A:BB:5C:33:71:F7:A0:32:22:2B:84:80:BA
Exiting; no certificate found and waitforcert is disabled
[root@anix source]#

On the master:

[root@4man manifests]# puppet cert list
  "" (SHA256) B3:65:34:08:01:AC:43:14:27:73:A0:BB:70:25:6D:94:33:68:09:8A:BB:5C:33:71:F7:A0:32:22:2B:84:80:BA
[root@4man manifests]#
[root@4man manifests]# puppet cert sign ""
Notice: Signed certificate request for
Notice: Removing file Puppet::SSL::CertificateRequest at '/var/lib/puppet/ssl/ca/requests/'
[root@4man manifests]#
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2015-02-11 13:21:20 -0600

Seen: 3,389 times

Last updated: Jul 24 '17