Issue #5346 has been updated by Nigel Kersten. Status changed from Needs Decision to Closed
Lance Reed wrote: > so apologizes if I am being dense, but is the solution here really to do a > manual delete of the signed cert file on a master if we need to rebuild / > replace a host. > This is something we do ALL the time. we are running into serious confusion > regarding puppetca -clean -revoke and crl files blocking when a host is > rebuilt. Is there a documented procedure to correctly rebuild hosts using > the same name etc. I even have the crl up commented out in my passenger > configs and this is causing problems. Lance, as described this doesn't make sense to me. * Request cert for host `myhost`. * Clean that cert, (which revokes it *by serial number*) * Request a new cert for host `myhost`. * This has a new serial, and shouldn't clash with the revoked one. I'd need to see more info about this, as on the face of it it doesn't make sense, revocation is by serial number, not by certificate name. ---------------------------------------- Bug #5346: puppetca doc error https://projects.puppetlabs.com/issues/5346 Author: Ben - Status: Closed Priority: Normal Assignee: Nigel Kersten Category: SSL Target version: Affected Puppet version: 2.6.3 Keywords: Branch: the puppetca man page needs updating to include the new --clean behavior of revoking cert. 2.6.3 revokes w/ the --clean option $ puppetca --clean server.puppetlabs.com notice: Revoked certificate with serial 260 notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at '/var/lib/puppet/ssl/ca/signed/server.puppetlabs.com.pem' notice: Removing file Puppet::SSL::Certificate server.puppetlabs.com at '/var/lib/puppet/ssl/certs/server.puppetlabs.com.pem' The puppetca man page states This is useful when rebuilding hosts, since new certificate signing requests will only be honored if puppet cert does not have a copy of a signed certificate for that host. The certificate of the host remains valid. PS> I prefer the old behavior. The --revoke option should not be implied w/ --clean. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
