Puppet Certificate Revoked - Successful Runs Against CA, Failed Runs Against Master

asked 2018-04-19 15:44:30 -0600

glen_thumbtack gravatar image

We have a setup with a puppet CA node and a single master node. Puppet agents connect to the master server=puppet4-master which has ca=false and ca_server=puppet4-ca.

Due to an issue with puppet4-master, we had to generate a new certificate, and used the standard method of doing so. On the master, we ran rm -r /var/lib/puppet/ssl, and on the CA we ran puppet cert clean puppet4-master. Upon running the agent on puppet4-master against the CA (--server puppet4-ca), a new certificate was successfully generated and the server ran puppet successfully. However, our agents connect to puppet4-master, which means the next run, puppet4-master tried to run against puppet4-master. This caused the error: "certificate verify failed: [certificate revoked for /CN=puppet4-master]". Runs will not succeed on puppet4-master against puppet4-master, only against puppet4-ca. Since a new certificate was generated successfully, I don't know why puppet is complaining that an old certificate was revoked, and I don't understand why that is only an error when running against puppet4-master (which is not a CA) and not against puppet4-ca.

To summarise, after generating a new certificate for a node, runs against the CA for that node succeed but runs against the separate master fail, and I would like to know why / how to allow runs to succeed against the separate master.

edit retag flag offensive close merge delete

Comments

Were you able to resolve this? Experiencing the same issue

dsmitty166 gravatar imagedsmitty166 ( 2019-01-09 11:48:27 -0600 )edit