Accidentally cleaned all of my certificates.

asked 2017-02-03 08:40:47 -0600

manduck gravatar image

updated 2017-02-03 09:19:01 -0600

So I'm a Puppet noob, and I foolishly did a cert clean --all. I'm now in the process of re-doing all of the certificates but I have a problem.

So the first thing a did on the puppet master was 'puppet master --verbose --no-daemonise' to redo the puppet master certificate.

However, then when I try and sign a client, I'm able to run the first 'puppet agent --test' and then sign it on the server, but then when I run the second 'puppet agent --test' I get...

Error: Could not request certificate: Server hostname 'puppet' did not match server certificate; bob.localdomain

However, the certificate on the puppet master is called 'puppet'. I've tried editing the puppet.conf on the master so it includes 'server=puppet' and 'certname=puppet' and 'dns-alt-names=puppet' and stuff like that, but the agents always seem to complain that it's bob.localdomain.

How do I get the certificate set correctly on the master? Any help would be greatly appreciated.


Okay, I've got a little bit further.

I stopped the puppet service, then ran 'puppet master --verbose --no-daemonise' again, then started the service.

Now when I try and run 'puppet agent --test' on a client I get the following error...

Error: Could not request certificate: Connection reset by peer - SSL_connect

Is there something else that needs to be restarted on the master? It's version 3.6.2 by the way.

edit retag flag offensive close merge delete


You have to regenerate the master certificate, if you'd like to change fields like subject.altName.

Kai Burghardt gravatar imageKai Burghardt ( 2017-02-05 09:11:49 -0600 )edit

But isn't 'puppet master --verbose --no-daemonise' regenerating my master certificate?

manduck gravatar imagemanduck ( 2017-02-06 04:20:20 -0600 )edit

Did you also clean up the certs on each of your agents?

DarylW gravatar imageDarylW ( 2017-02-06 08:07:26 -0600 )edit

Well the agent I'm trying it on is a completely fresh one. I've cleared out the ssh directory (/var/lib/puppet/ssl/*) anyway, plus I've backed-up and deleted the ssh directory on the master (/var/lib/puppet/ssh) and then cleaned and then regenerated the master certificate., but still no luck.

manduck gravatar imagemanduck ( 2017-02-06 08:26:08 -0600 )edit

Different error now though... Connection refused - connect(2)

manduck gravatar imagemanduck ( 2017-02-06 08:26:59 -0600 )edit