Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title Eric Sorenson assigned an issue to Eric Sorenson Puppet / PUP-3741 Puppet certificate reovke issue on Puppetmaster. Change By: Eric Sorenson Assignee: AndyParker EricSorenson Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title Eric Sorenson commented on PUP-3741 Re: Puppet certificate reovke issue on Puppetmaster. Hi, puppet cert clean on the master should do what you expect, as long as you are running it as the root user. You are also right that the error you are seeing is because there is still a cached copy of the agent's certificate, but not its private key, on the master, so when the 'fresh' agent connects, it gets the old certificate. Can you please run something like: find /var /etc -name your host name.pem after you run the 'puppet cert clean' command as root? It is possible that it's using a different SSL directory than what you expected, so it's getting an old copy. To answer the other questions: 1. no there is not a new certificate issued when the expire date is passed 2. the masters do not re-issue new certificates over old ones because it is a pretty big security hole (any one could impersonate another server and take over the real server's certificate identity). Add Comment This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title jennifer kim assigned an issue to jennifer kim Puppet / PUP-3741 Puppet certificate reovke issue on Puppetmaster. Change By: jennifer kim Assignee: AndyParker jenniferkim Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title jennifer kim updated an issue Puppet / PUP-3741 Puppet certificate reovke issue on Puppetmaster. Change By: jennifer kim Assignee: jenniferkim AndyParker Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title jennifer kim commented on PUP-3741 Re: Puppet certificate reovke issue on Puppetmaster. One more question please.. In the below situation, do puppet master revoke the agent's old certificate or do not do work anything for the agent as a default? 1. Agent's certificate expire date remains 2. Agents puppet delete /var/lib/puppet/ssl and regenerate certificate. I really want to know the default setting of revoking certificate on puppet master first. Any updates are appreciated!! Add Comment This message was sent by Atlassian JIRA (v6.3.7#6337-sha1:2ed701e) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-3741) Puppet certificate reovke issue on Puppetmaster.
Title: Message Title jennifer kim created an issue Puppet / PUP-3741 Puppet certificate reovke issue on Puppetmaster. Issue Type: Bug Affects Versions: PUP 3.2.4 Assignee: Andy Parker Components: Server Created: 2014/12/04 12:18 PM Environment: Puppet master : CentOS 6.4 Puppet agent : CentOS 6.4 Priority: Normal Reporter: jennifer kim Hello, I have a question about revoking certificate. It is okay when puppet agents generate certificate first time, but we have the below error message when regenerating puppet certificate after installing CentOS on agents or deleting /var/lib/puppet/ssl/* Error: Could not request certificate: The certificate retrieved from the master does not match the agent's private key. Certificate fingerprint: 40:71:07:E1:93:5E:3E:1E:C2:1B:AC:55:7D:EA:1D:0C:B5:A6:21:88:50:68:2E:DC:22:F2:61:54:75:FB:76:FE To fix this, remove the certificate from both the master and the agent and then start a puppet run, which will automatically regenerate a