Maybe our blog can shed some light on this: https://www.example42.com/2018/10/08/puppet6-ca-upgrading/
> On 5. Mar 2019, at 13:49, jmp242 <[email protected]> wrote: > > So, I don't want to regenerate my CA master certificate, i.e. I don't want to > manually replace all the CA certificate file on all my clients. If the ca > generate is for the puppetserver AGENT certificate, i.e. only used on one > computer, I can do that. But the docs aren't clear to me which it's talking > about. > > On Monday, March 4, 2019 at 4:56:49 PM UTC-5, Justin Stoller wrote: > The new ca tool (which is one of the things node clean is calling under the > hood) uses the CA's http api in most cases and requires special permissions. > By default, the api now only allows access to most certificate endpoints by > clients that contain a special cert extension. You can create a cert for > "foo" with that extension by running `puppetserver ca generate --ca-client > --certname=foo` (note this is one the few commands that requires your server > to be offline). If you don't or can't generate a ca client cert you can add > an explict certname that you want to be your ca-client to the "allow" blocks > in the tk auth.conf. > > See: https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html > <https://puppet.com/docs/puppet/6.3/puppet_server_ca_cli.html> for more info. > > On Mon, Mar 4, 2019 at 12:43 PM jmp242 <[email protected] <>> wrote: > I've upgraded from puppetserver 5, and after doing so I've gotten an error > trying to clean a certificate. > Per the "new method", I've tried > > puppet node clean fqdn > > This worked, for this node, before the updated with puppetserver 5. > > However, after the update I now get an error: > puppet node clean fqdn > > WARN: Unresolved specs during Gem::Specification.reset: > facter (< 4, >= 2.0.1) > WARN: Clearing out unresolved specs. > Please report a bug if this causes problems. > Error: When attempting to revoke certificate 'fqdn', received: > Error: code: 403 > Error: body: Forbidden request: /puppet-ca/v1/certificate_status/fqdn > (method :put). Please see the server logs for details. > fqdn > > I'm not able to find anything by google - any ideas? > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] <>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/dc6b8ba8-32dd-4ec5-90ff-719673c8498f%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected] > <mailto:[email protected]>. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com > > <https://groups.google.com/d/msgid/puppet-users/3199dff4-f956-4e80-8f15-9d3a8faccc78%40googlegroups.com?utm_medium=email&utm_source=footer>. > For more options, visit https://groups.google.com/d/optout > <https://groups.google.com/d/optout>. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/EFD0AD71-9FA1-4C08-8FFA-F625BD160706%40gmail.com. For more options, visit https://groups.google.com/d/optout.
