Ask Your Question
0

no new certificate generated

asked 2015-02-11 13:52:45 -0500

dmuller gravatar image

I'm just getting started with connecting a collection of CentOS linux 5,6 & 7 to a new puppet-master, actually the one bundled with Foreman , (and I've been learning a lot).

I have found a known issue where my puppet-master is requiring sha256 digests be used on certs however some of the stock clients by default use MD5. OK, so I know how to add the Puppet Labs repo to my machines and gain updated clients, HOWEVER there is another known issue with puppet-master affecting deletion of certificate requests.

The situation I'm running into is:

  1. A stock RHEL5 client runs "puppet agent --test", generates a new cert req. using the MD5 digest.
  2. On the master I pick up the req. but I can only list it, I cannot clear it. (if I clear ALL it will go away, along with my entire deployment).
  3. I manually remove the cert request with 'rm'. remove and install the correct puppet packages on the client.
  4. "puppet agent --test" does not seem to do anything, no new req seen on the puppet-master.

This is how I manually removed the cert req:

[root@4man manifests]# puppet cert list
  "anix.example.com" (MD5) 61:87:21:C9:5A:78:57:F4:1E:B0:17:F3:51:8A:1C:97
[root@4man manifests]# puppet cert clean anix.example.com
Error: Could not find a serial number for anix.example.com
[root@4man manifests]#
[root@4man manifests]# find /var/lib/puppet/ssl/ -name 'anix*'
/var/lib/puppet/ssl/ca/requests/anix.example.com.pem
[root@4man manifests]# rm /var/lib/puppet/ssl/ca/requests/anix.example.com.pem
rm: remove regular file ‘/var/lib/puppet/ssl/ca/requests/anix.example.com.pem’? y
[root@4man manifests]# puppet cert list
[root@4man manifests]#

Currently I run "puppet agent --test --waitforcert 99" and no certificate is received, ( I don't see any errors or other acknowledgement on the puppet-master box).

edit retag flag offensive close merge delete

1 Answer

Sort by » oldest newest most voted
0

answered 2015-02-12 08:00:24 -0500

dmuller gravatar image

I'm very happy to report I solved this on my own after reading through some other issues tagged ssl.

The problem was that even after removing the old puppet client software the md5 cert request remained.

I removed this manually and everything started working again as expected.

On the client:

[root@anix source]# find /var/lib/puppet/ssl/
/var/lib/puppet/ssl/
/var/lib/puppet/ssl/certs
/var/lib/puppet/ssl/certs/ca.pem
/var/lib/puppet/ssl/private_keys
/var/lib/puppet/ssl/private_keys/anix.example.org.pem
/var/lib/puppet/ssl/public_keys
/var/lib/puppet/ssl/public_keys/anix.example.org.pem
/var/lib/puppet/ssl/private
/var/lib/puppet/ssl/certificate_requests
/var/lib/puppet/ssl/certificate_requests/anix.example.org.pem
[root@anix source]# openssl req -in /var/lib/puppet/ssl/certificate_requests/anix.example.org.pem -text -verify -noout
verify OK
...
    Signature Algorithm: md5WithRSAEncryption
...
[root@anix source]# rm  /var/lib/puppet/ssl/certificate_requests/anix.example.org.pem                                rm: remove regular file `/var/lib/puppet/ssl/certificate_requests/anix.example.org.pem'? y
[root@anix source]# puppet agent --test                                                                                Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for anix.example.org
Info: Certificate Request fingerprint (SHA256): B3:65:34:08:01:AC:43:14:27:73:A0:BB:70:25:6D:94:33:68:09:8A:BB:5C:33:71:F7:A0:32:22:2B:84:80:BA
Exiting; no certificate found and waitforcert is disabled
[root@anix source]#

On the master:

[root@4man manifests]# puppet cert list
  "anix.example.org" (SHA256) B3:65:34:08:01:AC:43:14:27:73:A0:BB:70:25:6D:94:33:68:09:8A:BB:5C:33:71:F7:A0:32:22:2B:84:80:BA
[root@4man manifests]#
[root@4man manifests]# puppet cert sign "anix.example.org"
Notice: Signed certificate request for anix.example.org
Notice: Removing file Puppet::SSL::CertificateRequest anix.example.org at '/var/lib/puppet/ssl/ca/requests/anix.example.org.pem'
[root@4man manifests]#
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2015-02-11 13:21:20 -0500

Seen: 2,145 times

Last updated: Feb 12 '15