Puppet Certificate Revoked - Successful Runs Against CA, Failed Runs Against Master

asked 2018-04-19 15:44:30 -0600

We have a setup with a puppet CA node and a single master node. Puppet agents connect to the master server=puppet4-master which has ca=false and ca_server=puppet4-ca.

Due to an issue with puppet4-master, we had to generate a new certificate, and used the standard method of doing so. On the master, we ran rm -r /var/lib/puppet/ssl, and on the CA we ran puppet cert clean puppet4-master. Upon running the agent on puppet4-master against the CA (--server puppet4-ca), a new certificate was successfully generated and the server ran puppet successfully. However, our agents connect to puppet4-master, which means the next run, puppet4-master tried to run against puppet4-master. This caused the error: "certificate verify failed: [certificate revoked for /CN=puppet4-master]". Runs will not succeed on puppet4-master against puppet4-master, only against puppet4-ca. Since a new certificate was generated successfully, I don't know why puppet is complaining that an old certificate was revoked, and I don't understand why that is only an error when running against puppet4-master (which is not a CA) and not against puppet4-ca.

To summarise, after generating a new certificate for a node, runs against the CA for that node succeed but runs against the separate master fail, and I would like to know why / how to allow runs to succeed against the separate master.

edit retag flag offensive close merge delete