Ask Your Question
0

master certificate deleted accidently

asked 2016-03-31 06:13:42 -0500

Dhanasekaran gravatar image

Team, We have 300+ nodes in our environment. I accidently cleaned the puppet master certificate (puppet cert --clean puppetmaster), but there was a backup for the master server, so i could restore the following certs /var/lib/puppet/ssl/certs/puppetmaster.xxxx.com.pem /var/lib/puppet/ssl/ca/signed/puppetmaster.xxxx.com.pem /var/lib/puppet/ssl/private_keys/puppetmaster.xxxx.com.pem

After restore certificate status shows, - "puppermaster.xxxx.com" (SHA256) 5B:10:6A:27:96:7C:BD:19:E9:BD:20:26:0F:E9:77:01:E0:EB:8D:65:94:3C:D5:E4:82:8D:1C:07:87:E1:4A:43 (certificate revoked)

Now i couldn't add new nodes and nodes throwing following error

Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'evalgenerate': SSLconnect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster.xxxx.com]

How i can resolve the issue without generating new cert for master? Do i need to sign again or restart the master and try?

edit retag flag offensive close merge delete

Comments

1

Did you back up the entire ssl directory? if so you might be able to try restoring the whole thing which contains the crl.pem certificate revocation list.

Binky gravatar imageBinky ( 2016-04-01 04:39:08 -0500 )edit

2 Answers

Sort by ยป oldest newest most voted
1

answered 2016-03-31 22:15:53 -0500

Dhanasekaran gravatar image

updated 2016-04-04 12:56:13 -0500

Thanks Binky. Regeneration of all client certs is my last option.

I got the solution: After restoring complete ssl folder resolved my issue. It saved my many hours.

I stopped puppetserver, restored complete /var/lib/puppet/ssl from backup and started the puppetserver, which resolved the issue. Seems /ssl/ca/ca_crl.pem and ss/crl.pem has ssl encrypted entries of certificates.

edit flag offensive delete link more
0

answered 2016-03-31 09:29:48 -0500

Hello

I seem to recall i did something similar to this a while ago and ended up rebuilding my puppet master. I ran puppet cert clean --all without fully understanding what I was doing.

Since a --clean revokes the certs even if you had them backed up they should be useless. I've never played around to see if a cert can be removed from the certificate revocation list but I wouldn't think so as the whole point is once revoked the certs can't be reused.

After I rebuilt my puppet master out of desperation I found this page on regenerating all certs in your deployment. If it's only a small deployment it shouldn't be too difficult. Hope this helps.

https://docs.puppetlabs.com/puppet/3....regeneratecertificates.html

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2016-03-31 06:13:42 -0500

Seen: 376 times

Last updated: Apr 04 '16