Addition: 'puppet cert clean <someclient>' still works. So this looks very much like a regression introduced by the switch from puppet to puppetserver for certificate handling. @Puppetlabs people: Should I open a jira ticket for this?
Best regards Karsten Am Freitag, 24. Mai 2019 14:29:31 UTC+2 schrieb Karsten Heymann: > > Hi everyone, > > I have a question: Is the puppetserver expected to honor the srv > records to find the puppet ca server? We have the problem that since > switching our puppet server detection from explicit settings in the > puppet.conf-File to srv records, we cannot remove certificates from > puppetserver any more and get the following error: > > root@<puppetmaster>:~# puppetserver ca clean --certname <some-client> > [... long delay ...] > Fatal error when running action 'clean' > Error: Failed connecting to > https://puppet:8140/puppet-ca/v1/certificate_status/ > Root cause: execution expired > > We use a non-standard name for our puppet/puppetca host, and have that > correctly (I hope so set up) in the DNS: > > # dig +short -t SRV _x-puppet-ca._tcp.<our-domain> > 10 0 8140 <our puppet-ca-server>. > > The relevant puppet config looks like this: > > # grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf > [main] > srv_domain = mip-platform.net > use_srv_records = true > vardir = /opt/puppetlabs/puppet/cache > [agent] > localconfig = $vardir/localconfig > usecacheonfailure = true > [master] > ca = true > > We are using puppet/pupperserver 5: > > # puppetserver --version > puppetserver version: 5.3.8 > root@puppet-b1-01:~# puppet --version > 5.5.14 > > Any hints would be greatly appreciated! > > Best regards > Karsten > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
