Yes, this is a known bug, and we do already have a ticket for it, https://tickets.puppetlabs.com/browse/SERVER-2451. We are planning a round of improvements and bug fixes for the `puppetserver ca` CLI, and this is high on the list.
I'm glad you found a workaround. Since the CLI tool is shipped as a gem, if you would like to continue using the new CLI once this has been fixed, you can update just the gem out of band using /opt/puppetlabs/puppet/bin/gem install -i /opt/puppetlabs/puppet/lib/ruby/vendor_gems puppetserver-ca On Fri, May 24, 2019 at 7:41 AM Karsten Heymann <[email protected]> wrote: > Addition: > > 'puppet cert clean <someclient>' still works. So this looks very much like > a regression introduced by the switch from puppet to puppetserver for > certificate handling. @Puppetlabs people: Should I open a jira ticket for > this? > > Best regards > Karsten > > Am Freitag, 24. Mai 2019 14:29:31 UTC+2 schrieb Karsten Heymann: >> >> Hi everyone, >> >> I have a question: Is the puppetserver expected to honor the srv >> records to find the puppet ca server? We have the problem that since >> switching our puppet server detection from explicit settings in the >> puppet.conf-File to srv records, we cannot remove certificates from >> puppetserver any more and get the following error: >> >> root@<puppetmaster>:~# puppetserver ca clean --certname <some-client> >> [... long delay ...] >> Fatal error when running action 'clean' >> Error: Failed connecting to >> https://puppet:8140/puppet-ca/v1/certificate_status/ >> Root cause: execution expired >> >> We use a non-standard name for our puppet/puppetca host, and have that >> correctly (I hope so set up) in the DNS: >> >> # dig +short -t SRV _x-puppet-ca._tcp.<our-domain> >> 10 0 8140 <our puppet-ca-server>. >> >> The relevant puppet config looks like this: >> >> # grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf >> [main] >> srv_domain = mip-platform.net >> use_srv_records = true >> vardir = /opt/puppetlabs/puppet/cache >> [agent] >> localconfig = $vardir/localconfig >> usecacheonfailure = true >> [master] >> ca = true >> >> We are using puppet/pupperserver 5: >> >> # puppetserver --version >> puppetserver version: 5.3.8 >> root@puppet-b1-01:~# puppet --version >> 5.5.14 >> >> Any hints would be greatly appreciated! >> >> Best regards >> Karsten >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg3DhKdo3gw1Px8jZJ335PDVoxBGXEFxt8%3DxZ0btXk_8qw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
