Addition: 'puppet cert clean <someclient>' still works. So this looks very much like a regression introduced by the switch from puppet to puppetserver for certificate handling. @Puppetlabs people: Should I open a jira ticket for this?
Best regards Karsten Am Freitag, 24. Mai 2019 14:29:31 UTC+2 schrieb Karsten Heymann: > > Hi everyone, > > I have a question: Is the puppetserver expected to honor the srv > records to find the puppet ca server? We have the problem that since > switching our puppet server detection from explicit settings in the > puppet.conf-File to srv records, we cannot remove certificates from > puppetserver any more and get the following error: > > root@<puppetmaster>:~# puppetserver ca clean --certname <some-client> > [... long delay ...] > Fatal error when running action 'clean' > Error: Failed connecting to > https://puppet:8140/puppet-ca/v1/certificate_status/ > Root cause: execution expired > > We use a non-standard name for our puppet/puppetca host, and have that > correctly (I hope so set up) in the DNS: > > # dig +short -t SRV _x-puppet-ca._tcp.<our-domain> > 10 0 8140 <our puppet-ca-server>. > > The relevant puppet config looks like this: > > # grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf > [main] > srv_domain = mip-platform.net > use_srv_records = true > vardir = /opt/puppetlabs/puppet/cache > [agent] > localconfig = $vardir/localconfig > usecacheonfailure = true > [master] > ca = true > > We are using puppet/pupperserver 5: > > # puppetserver --version > puppetserver version: 5.3.8 > root@puppet-b1-01:~# puppet --version > 5.5.14 > > Any hints would be greatly appreciated! > > Best regards > Karsten > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
