Problem solved! Solution was to add the following line to the "[main]"
section of '/etc/puppet/puppet.conf' on the agent:
[main]
...
certificate_revocation = false
...
-- Adam
______________________
*J. Adam Craig*
UNIX Operating Systems Analyst
VCU Computer Center
804.828.4886
"Don't be a phishing victim -- VCU and other reputable organizations will
never use email to request that you reply with your password, social
security number or confidential personal information. For more detauls,
visit http://infosecurity.vcu.edu/phishing.html";
On Fri, Oct 4, 2013 at 9:49 AM, J. Adam Craig <[email protected]> wrote:
> Additionally, I should add that the revoked certificate on the Puppet
> master was also cleaned with the following command:
>
> # puppet cert --clean el5-puptest-2.localdomain
>
>
> And the issue persists as outlined above.
>
> ______________________
> *J. Adam Craig*
> UNIX Operating Systems Analyst
> VCU Computer Center
> 804.828.4886
>
> "Don't be a phishing victim -- VCU and other reputable organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information. For more detauls,
> visit http://infosecurity.vcu.edu/phishing.html";
>
>
> On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig <[email protected]> wrote:
>
>> Folks --
>>
>> I am attempting to retrieve a new certificate on a Puppet client whose
>> certificate was revoked on the Puppet master.
>>
>> The original certificate was revoked using the command:
>>
>> # puppet cert --revoke el5-puptest-2.localdomain
>>
>>
>> I have deleted the /var/lib/puppet/ssl directory on the client, and
>> issued the following command:
>>
>> # puppet agent --test --waitforcert=20
>>
>>
>> This produces the following result:
>>
>> [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20*
>> info: Creating a new SSL key for el5-puptest-3.localdomain
>> info: Caching certificate for ca
>> info: Creating a new SSL certificate request for el5-puptest-3.localdomain
>> info: Certificate Request fingerprint (md5):
>> 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4
>> info: Caching certificate for el5-puptest-3.localdomain
>> notice: Ignoring --listen on onetime run
>> info: Retrieving plugin
>> info: Caching certificate_revocation_list for ca
>> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
>> using 'eval_generate': certificate verify failed
>> err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify
>> failed Could not retrieve file metadata for puppet://
>> rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed
>> err: Could not retrieve catalog from remote server: certificate verify
>> failed
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>> err: Could not send report: certificate verify failed
>>
>>
>> I read elsewhere that these issues could be due to the Puppet master
>> being configured with Apache / Passenger, and that sometimes a restart of
>> Apache on the master is needed to resolve the trouble. Despite issuing
>> 'service httpd restart' on the Puppet master server, I'm still getting the
>> above output.
>>
>> Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL).
>>
>> Any assistance is greatly needed and appreciated.
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected].
>> To post to this group, send email to [email protected].
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.
