Ask Your Question

agent certificate revoked error

asked 2015-10-09 03:08:20 -0600

meaglin gravatar image

Hello Puppet Guru's,

I've got a small problem on 1 server in my puppet environment. the server gives this error: Warning: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /]

This only happens on 1 server in my environment, because of this is tried to remove the certificate on the client and master. on the client with the find and delete command and on the master with puppet cert clean

After cleaning the certificate I've ran puppet agent -t on the client, it requested a new certificate which I signed on the master. After which I ran puppet agent -t again and got the error again.

I've checked the certificate list, with the command puppet cert list -all, on the puppet master and non of the certificates are in revoked, all of them have a + sign in front of them.

Because i'm fairly new to puppet I have no idea what to try next, does anyone have an idea?


edit retag flag offensive close merge delete

2 Answers

Sort by ยป oldest newest most voted

answered 2015-10-09 21:46:24 -0600

cbarbour gravatar image

This appears to be an error from the client, claiming that the server's certificate has been revoked, or is not currently valid. In order to make the problem go away, you need to ensure that the server has a valid certificate, and you need to restart the server.

You don't mention whether or not you are running PE. On Puppet open source, by default the server and the agent running on that server use the same certificate. IIRC, the PE installer generates a certificate specifically for the server during install, and running the agent is not sufficient to generate a new cert.

Before you do anything else, try simply restarting the server daemon. It's possible it simply hasn't loaded the new cert yet.

If that doesn't work, You can generate a new server certificate using the puppet certificate generate command. The arguments can be a bit tricky to get right so be sure to read the docs. You can generate a certificate using the agent, by explicitly passing the --certname and --dns_alt_names parameters. Check your puppet.conf file and ensure that you pass the correct certname and alt names for the server. Beware that you have to explicitly allow DNS alt names when signing a server certificate.

Of course, you will not be able to request/sign a new server certificate until you remove the old one.

Be very careful with this process. When digging through your certificate files it's very easy to blow away a lot of certificates accidentally. I strongly recommend performing a backup of your SSL directories before attempting to fix this problem.

edit flag offensive delete link more

answered 2015-10-12 02:55:40 -0600

meaglin gravatar image

updated 2015-10-12 06:53:24 -0600

Hi cbarbour,

Thanks for you awnser, something must have gone wrong on the master/ca. Because this weekend all clients failed to connect with the master on a certificate error. Because of it I recreated the master ca and all puppet client certs. Now Also this one machine connects bu all commands timeout on the machine like this: Error: Command exceeded timeout Error: /Stage[main]/Baseconf/Exec[update openssh]/returns: change from notrun to 0 failed: Command exceeded timeout

Any further idea on that?


Update: Last run took 5200 second to run and it has to do only 5 or 6 thing.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2015-10-09 03:08:20 -0600

Seen: 1,175 times

Last updated: Oct 12 '15