Issue #16657 has been updated by Peter Meier.
I think this essentially means that you cannot clean pending requests. Either you sign them first or manually remove the request file. Debug output from a failing run on latest 2.7: <pre> [root@puppetmaster ~]# puppet cert clean foo --debug --trace debug: Puppet::Type::User::ProviderUser_role_add: file roleadd does not exist debug: Puppet::Type::User::ProviderDirectoryservice: file /usr/bin/dscl does not exist debug: Puppet::Type::User::ProviderLdap: true value when expecting false debug: Puppet::Type::User::ProviderPw: file pw does not exist debug: Failed to load library 'ldap' for feature 'ldap' debug: /File[/var/lib/puppet/sslmaster/ca/ca_crl.pem]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/ca/ca_crt.pem]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/ca/inventory.txt]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/certs/ca.pem]: Autorequiring File[/var/lib/puppet/sslmaster/certs] debug: /File[/var/lib/puppet/sslmaster/private_keys]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/ca/signed]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/public_keys/ puppetmaster.domain.local.pem]: Autorequiring File[/var/lib/puppet/sslmaster/public_keys] debug: /File[/var/lib/puppet/sslmaster/private]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/ca/serial]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/ca/ca_key.pem]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/certs]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/facts]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/state]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/sslmaster]: Autorequiring File[/var/lib/puppet] debug: /File[/var/lib/puppet/sslmaster/certs/ puppetmaster.domain.local.pem]: Autorequiring File[/var/lib/puppet/sslmaster/certs] debug: /File[/var/lib/puppet/sslmaster/ca]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/certificate_requests]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/public_keys]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/private_keys/ puppetmaster.domain.local.pem]: Autorequiring File[/var/lib/puppet/sslmaster/private_keys] debug: /File[/var/lib/puppet/sslmaster/ca/ca_pub.pem]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/crl.pem]: Autorequiring File[/var/lib/puppet/sslmaster] debug: /File[/var/lib/puppet/sslmaster/ca/private/ca.pass]: Autorequiring File[/var/lib/puppet/sslmaster/ca/private] debug: /File[/var/lib/puppet/sslmaster/ca/requests]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/sslmaster/ca/private]: Autorequiring File[/var/lib/puppet/sslmaster/ca] debug: /File[/var/lib/puppet/lib]: Autorequiring File[/var/lib/puppet] debug: Finishing transaction 70225186214240 debug: Using cached certificate for ca debug: Using cached certificate_revocation_list for ca /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:235:in `revoke' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:24:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:24:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:23:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:23:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:74:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/application/cert.rb:189:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:317:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:69:in `execute' /usr/bin/puppet:4 err: Could not call revoke: Could not find a serial number for foo /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:235:in `revoke' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:24:in `send' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:24:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:23:in `each' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority/interface.rb:23:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/ssl/certificate_authority.rb:74:in `apply' /usr/lib/ruby/site_ruby/1.8/puppet/application/cert.rb:189:in `main' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:317:in `run_command' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:416:in `hook' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:407:in `exit_on_fail' /usr/lib/ruby/site_ruby/1.8/puppet/application.rb:309:in `run' /usr/lib/ruby/site_ruby/1.8/puppet/util/command_line.rb:69:in `execute' /usr/bin/puppet:4 Could not find a serial number for foo </pre> ---------------------------------------- Bug #16657: puppet cert clean does not work for CSRs with DNS alt names https://projects.puppetlabs.com/issues/16657#change-91621 * Author: Ruth Linehan * Status: Accepted * Priority: Normal * Assignee: eric sorenson * Category: SSL * Target version: 3.x * Affected Puppet version: 2.7.19 * Keywords: * Branch: ---------------------------------------- On my puppet master on 2.7.19 (PE 2.6.0), if I try to run ``puppet cert clean`` on a pending CSR with DNS alt names I get the error err: Could not call revoke: Could not find a serial number for node01 Could not find a serial number for node01 On 2.7.12 (PE 2.5.2) I got the same error, but it would still remove the CSR: err: Could not call revoke: Could not find a serial number for node01 notice: Removing file Puppet::SSL::CertificateRequest node01 at '/etc/puppetlabs/puppet/ssl/ca/requests/node01.pem' This only happens with If it is signed first, then it can be cleaned. Furthermore, (thanks nfagerlund for this) it works fine if the CSR was submitted by a puppet agent process using the same ssldir as the puppet master, but it blows up if the CSR came from a different node. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
