Hi Veera, Puppet Server process generates a CA upon first start. The CA will be put into place with a default validity of 5 years.
You can verify the CA using openssl default commands to read CA information in human readable format. Besides this: Puppet 2.7 is super outdated you should consider upgrading Puppet on a fresh server which will then have a new CA with new validity. Best, Martin > On 19. Jul 2019, at 06:52, Veera Mani <[email protected]> wrote: > > Hi, > > I am running puppet-server-2.7.25-1.el5 and puppet-2.7.20-1.el6.rf.noarch > clients. > > A puppet client which is running for more than 5 years is rebuild and > while adding the server to the puppet infrastructure again , we are facing > the below error. > The client is properly removed from the master before it is re-built. > But still while adding the server back , the error occurs. > > running on Jul19 .. > > [root@client1 setup]# puppet agent --server wfpuppet.example.com > --waitforcert 60 --test > info: Creating a new SSL key for client1.example.com > info: Caching certificate for ca > info: Creating a new SSL certificate request for client1.example.com > info: Certificate Request fingerprint (md5): > CE:73:92:B6:37:76:52:57:45:86:C5:D8:68:22:3F:A0 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Caching certificate for ca > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Caching certificate for ca > info: Caching certificate for client1.example.com > info: Retrieving plugin > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at > > ................... Truncated ...................................... > > err: Could not retrieve catalog from remote server: > Thread(#<Thread:0x7f275f7ca370 run>) not locked. > warning: Not using cache on failed catalog > err: Could not retrieve catalog; skipping run > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > info: Not using expired certificate for ca from cache; expired at Tue Jul 16 > 19:12:20 UTC 2019 > > ....................Truncated ................................ > err: Could not request certificate: stack level too deep > > > The configuration remains the same as in any client which is working fine. > Still facing the error? > Is puppet master caching the expired certificate from cache ? > > "expired certificate for ca from cache;" > > > > I have followed the below puppet docs : > > https://ask.puppet.com/question/16111/how-to-renew-expired-puppetmaster-certificates/ > https://ask.puppet.com/question/32858/warning-certificate-puppet-ca-will-expire-on-how-to-renew-certificates-on-302/ > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/e29c37cd-4d69-44a6-b51f-5eefaccff99f%40googlegroups.com. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5FA2ECC3-D274-46B5-A13B-55378A2CC378%40gmail.com.
