Following the instruction to create the certificate from scratch and reissuing one of its agents (specially the smart proxy) it generates certificate revoke.
In order to remote the revoked certificate, I had to restart the puppet agent service and to sign it in master. Just to test the agent (in the smart proxy ) works, the certificate gets revoked again. Do I have to stop the puppetmaster as well? On Saturday, October 16, 2021 at 11:47:17 AM UTC-4 treydock wrote: > If the key and the certificate don't match, you may have to regenerate > your puppetserver's CA and start from scratch essentially. I'm not aware of > a way to fix a mismatch without totally starting over from scratch. If you > want to start from scratch, you usually just delete > /etc/puppetlabs/puppet/ssl on puppetserver (or move to like /tmp or > something) and restart daemon and puppetserver should regenerate everything. > > On Friday, October 15, 2021 at 12:57:23 PM UTC-4 puppet-bsd wrote: > >> Performed the Verify steps. Seems the values are not equal. Is there any >> steps in order to make the values equal? >> >> >> On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote: >> >>> My advise might not be the best but it's what worked for me when our >>> master CA certificate expired. These are my raw notes from when I had to >>> renew our puppetserver certificate. The original certificate was likely >>> Puppet 4 and expired when running Puppet 6. I googled around and took some >>> steps from various blog posts I found so most of this isn't my original >>> ideas: >>> >>> # Verify >>> cd /etc/puppetlabs/puppet/ssl/ca >>> ( openssl rsa -noout -modulus -in ca_key.pem 2> /dev/null | openssl >>> md5 ; openssl x509 -noout -modulus -in ca_crt.pem 2> /dev/null | openssl >>> md5 ) >>> >>> # Generate new CSR >>> openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out >>> ca_csr.pem >>> >>> # Sign >>> cat > extension.cnf << EOF >>> [CA_extensions] >>> basicConstraints = critical,CA:TRUE >>> nsComment = "Puppet Ruby/OpenSSL Internal Certificate" >>> keyUsage = critical,keyCertSign,cRLSign >>> subjectKeyIdentifier = hash >>> EOF >>> cp ca_crt.pem ca_crt.pem.old >>> openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out >>> ca_crt.pem -extfile extension.cnf -extensions CA_extensions >>> openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity >>> chown puppet: ./* >>> cd /etc/puppetlabs/puppet/ssl >>> cp -a ca/ca_crt.pem certs/ca.pem >>> >>> # CLIENTS >>> >>> /opt/puppetlabs/bin/puppet resource file >>> /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent >>> /opt/puppetlabs/bin/puppet ssl download_cert >>> systemctl restart choria-server >>> >>> For expired client certs, when that happens to me I will do "rm -rf >>> /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet >>> which will request new cert then sign the cert and run Puppet again. That >>> process is rather tedious and not something I've automated really well but >>> also not something I have had happen frequently as we don't tend to keep >>> servers around for 5+ years. >>> >>> On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote: >>> >>>> Hi all, >>>> >>>> I'm new in puppet. >>>> >>>> I'm currently using puppet 4.10 >>>> >>>> Long story short, puppet certificates were expired and by this time, I >>>> am renewing these certificates one node at the time (including the >>>> puppetmaster). >>>> >>>> Once the puppetmaster got "renewed" , I tried to create a node >>>> successfully but its first run of puppet agent -t got unsuccessful due to >>>> its related smart proxy server certificate for revoked. Performed a >>>> certificate renewal for the proxy and the new agent now runs fine. >>>> >>>> However, it always happens everytime I create a new node. In the past, >>>> I don't have to renew proxy certificates. That means that there is >>>> something/somewhere in puppetmaster that isn't caught up in terms of >>>> certificates. >>>> >>>> One try I made is to regenerate a new CA certificate but seems it isn't >>>> successful for the early described issue. >>>> >>>> Can anyone please point how to fix the certificate at the puppetmaster >>>> level? >>>> >>>> -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/e518ba70-efba-4e52-a5c3-106ad2d04094n%40googlegroups.com.
