Ask Your Question

master certificate deleted accidently

asked 2016-03-31 06:13:42 -0500

Dhanasekaran gravatar image

Team, We have 300+ nodes in our environment. I accidently cleaned the puppet master certificate (puppet cert --clean puppetmaster), but there was a backup for the master server, so i could restore the following certs /var/lib/puppet/ssl/certs/ /var/lib/puppet/ssl/ca/signed/ /var/lib/puppet/ssl/private_keys/

After restore certificate status shows, - "" (SHA256) 5B:10:6A:27:96:7C:BD:19:E9:BD:20:26:0F:E9:77:01:E0:EB:8D:65:94:3C:D5:E4:82:8D:1C:07:87:E1:4A:43 (certificate revoked)

Now i couldn't add new nodes and nodes throwing following error

Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'evalgenerate': SSLconnect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /]

How i can resolve the issue without generating new cert for master? Do i need to sign again or restart the master and try?

edit retag flag offensive close merge delete



Did you back up the entire ssl directory? if so you might be able to try restoring the whole thing which contains the crl.pem certificate revocation list.

Binky gravatar imageBinky ( 2016-04-01 04:39:08 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2016-03-31 22:15:53 -0500

Dhanasekaran gravatar image

updated 2016-04-04 12:56:13 -0500

Thanks Binky. Regeneration of all client certs is my last option.

I got the solution: After restoring complete ssl folder resolved my issue. It saved my many hours.

I stopped puppetserver, restored complete /var/lib/puppet/ssl from backup and started the puppetserver, which resolved the issue. Seems /ssl/ca/ca_crl.pem and ss/crl.pem has ssl encrypted entries of certificates.

edit flag offensive delete link more

answered 2016-03-31 09:29:48 -0500


I seem to recall i did something similar to this a while ago and ended up rebuilding my puppet master. I ran puppet cert clean --all without fully understanding what I was doing.

Since a --clean revokes the certs even if you had them backed up they should be useless. I've never played around to see if a cert can be removed from the certificate revocation list but I wouldn't think so as the whole point is once revoked the certs can't be reused.

After I rebuilt my puppet master out of desperation I found this page on regenerating all certs in your deployment. If it's only a small deployment it shouldn't be too difficult. Hope this helps.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2016-03-31 06:13:42 -0500

Seen: 686 times

Last updated: Apr 04 '16