15

I have some requests from agents that had bad hostnames. I've corrected this, but still have the outstanding requests with the bad hostnames.

I tried:

$puppet cert list
  "wrong.host.name" (SHA256) 8E:...:51

$ puppet cert revoke wrong.host.name
Error: Could not find a serial number for wrong.host.name

$ puppet cert clean wrong.host.name
Error: Could not find a serial number for wrong.host.name

What's the proper way to get rid of them?

Louis Waweru
  • 23,945
  • 39
  • 132
  • 198

3 Answers3

25

Using ca works better, and can remove a certificate in a single step unlike cert. Importantly, it doesn't make you temporarily sign an invalid certificate.

$ puppet ca destroy wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'
Deleted for wrong.host.name: Puppet::SSL::CertificateRequest

The puppet ca command has recently been deprecated so at some point it may go away, but there's no equivalent command. There is a bug filed, which you could vote for if you think it's a bit silly to remove this command with no replacement.

Nick
  • 1,100
  • 10
  • 10
  • This is the right answer. All of the instructions given by the accepted answer either do not work or require you to sign certificates you know to be bad. – Robert Hafner Apr 08 '15 at 21:01
  • What @tedivm said. Therefore: +1. – gxx Jul 19 '16 at 09:51
  • This works, but it got marked as deprecated. Anyone know what the new method is? – Swiss Apr 11 '17 at 22:41
  • @Swiss do you have a link to some docs showing it's deprecated? – Nick Apr 16 '17 at 16:23
  • @Nick When running it: ```Warning: 'puppet ca' is deprecated and will be removed in a future release (at /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/face_base.rb:249:in `main') ``` – Swiss Apr 17 '17 at 20:38
  • @Swiss Ah yes - can see they did this code change in January - https://github.com/puppetlabs/puppet/commit/3692abf65707b8b305f2817527511b9521313fdc - Not clear what replaces `ca destroy` though! – Nick Apr 18 '17 at 13:36
  • 1
    `puppet cert clean` now works to remove requests. See the linked bug report. – 7yl4r Sep 11 '18 at 17:09
3

Possible Solution 1:

Using the puppet cert clean on the puppet master is the proper way. However since you're getting errors you may have a bad inventory of certificates.

Try doing a re-inventory then a clean:

$ puppet cert reinventory
$ puppet cert clean --all

Note: my example uses the --all flag, this will clear out all certificates, signed and unsigned. Also, be aware that the Puppet master should be stopped before running a reinventory.

Source: http://docs.puppetlabs.com/references/3.6.2/man/cert.html

Possible Solution 2:

$ puppet cert sign wrong.host.name
Notice: Signed certificate request for wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'

$ puppet cert clean wrong.host.name
Notice: Revoked certificate with serial 87
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/ca/signed/wrong.host.name.pem'
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/certs/wrong.host.name.pem'

Possible Solution 3:

First: On Server

$ puppet cert --revoke wrong.host.name
$ puppet cert --clean wrong.host.name

Second: On Client

$ rm -rf /usr/lib/puppet/ssl
$ puppet agent --server [puppetmaster domain name] --waitforcert 60

Third: On Server (adjust as necessary)

$ puppet cert --list (you should see your host)
$ puppet cert --sign wrong.host.name

Also, double check that your client can reach your [puppetmaster domain name].

Source: https://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi

Community
  • 1
tbenz9
  • 6,987
  • 3
  • 29
  • 32
  • Thanks, I tried `reinventory` and then `clean wrong.host.name` because I don't want to revoke the good certs too, but I still get the serial number error. – Louis Waweru Jul 17 '14 at 17:40
  • Good catch on the `--all`. I just added an update that is worth a shot. – tbenz9 Jul 17 '14 at 17:46
  • Great, after doing `puppet cert sign wrong.host.name` using `clean` works. Seems wrong that I have to sign it first though. – Louis Waweru Jul 17 '14 at 17:48
  • 1
    Also don't forget to restart the puppet master service after cleaning any certificates. – Robert Fey Apr 02 '15 at 19:25
  • 1
    FYI, the other answer is *much* better than this one. If you follow OPs advice you're going to run commands that don't work (such as the clean command) or you're going to sign certificates that you know are bad. If you follow the advice below and simply use `puppet ca destroy wrong.host.name` you don't have to introduce security risks to your infrastructure. – Robert Hafner Apr 08 '15 at 21:03
  • @RobertFey: Why would u restart puppet master service after cleaning up ? I don't see any need. – Napster_X Dec 18 '16 at 07:21
  • @GeekRide I remember having to do that for it to pick up all changes. It is possible that it is not needed anymore. – Robert Fey Dec 18 '16 at 08:59
1

Here is how I did

[root@puppetmc ca]# puppet cert clean sparrow.home
Error: Could not find a serial number for sparrow.home
[root@puppetmc ca]# cat inventory.txt 
0x0002 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=puppetmc.home
0x0003 2015-05-17T23:25:33GMT 2020-05-16T23:25:33GMT /CN=sparrow.rospop.com
0x0004 2015-05-18T00:53:18GMT 2020-05-17T00:53:18GMT /CN=puppetmc.home
0x0005 2015-05-18T02:18:12GMT 2020-05-17T02:18:12GMT /CN=sparrow.rospop.com
[root@puppetmc ca]# vi  inventory.txt

added the line below to inventory.txt:

0x0001 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=sparrow.home

then run

[root@puppetmc ca]# puppet cert clean sparrow.home
Notice: Revoked certificate with serial 1
Notice: Removing file Puppet::SSL::CertificateRequest sparrow.home at '/var/lib/puppet/ssl/ca/requests/sparrow.home.pem'
Vince Bhebhe
user
  • 29,449
  • 11
  • 99
  • 144
lowlysquib
  • 19
  • 1