[Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet://rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Additionally, I should add that the revoked certificate on the Puppet master was also cleaned with the following command: # puppet cert --clean el5-puptest-2.localdomain And the issue persists as outlined above. __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig jacr...@vcu.edu wrote: Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet:// rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
Re: [Puppet Users] Issue retrieving new certificate on host after original certificate was revoked
Problem solved! Solution was to add the following line to the [main] section of '/etc/puppet/puppet.conf' on the agent: [main] ... certificate_revocation = false ... -- Adam __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:49 AM, J. Adam Craig jacr...@vcu.edu wrote: Additionally, I should add that the revoked certificate on the Puppet master was also cleaned with the following command: # puppet cert --clean el5-puptest-2.localdomain And the issue persists as outlined above. __ *J. Adam Craig* UNIX Operating Systems Analyst VCU Computer Center 804.828.4886 Don't be a phishing victim -- VCU and other reputable organizations will never use email to request that you reply with your password, social security number or confidential personal information. For more detauls, visit http://infosecurity.vcu.edu/phishing.html; On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig jacr...@vcu.edu wrote: Folks -- I am attempting to retrieve a new certificate on a Puppet client whose certificate was revoked on the Puppet master. The original certificate was revoked using the command: # puppet cert --revoke el5-puptest-2.localdomain I have deleted the /var/lib/puppet/ssl directory on the client, and issued the following command: # puppet agent --test --waitforcert=20 This produces the following result: [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20* info: Creating a new SSL key for el5-puptest-3.localdomain info: Caching certificate for ca info: Creating a new SSL certificate request for el5-puptest-3.localdomain info: Certificate Request fingerprint (md5): 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4 info: Caching certificate for el5-puptest-3.localdomain notice: Ignoring --listen on onetime run info: Retrieving plugin info: Caching certificate_revocation_list for ca err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify failed Could not retrieve file metadata for puppet:// rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run err: Could not send report: certificate verify failed I read elsewhere that these issues could be due to the Puppet master being configured with Apache / Passenger, and that sometimes a restart of Apache on the master is needed to resolve the trouble. Despite issuing 'service httpd restart' on the Puppet master server, I'm still getting the above output. Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL). Any assistance is greatly needed and appreciated. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out. -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users. For more options, visit https://groups.google.com/groups/opt_out.
