Following the instruction to create the certificate from scratch and 
reissuing one of its agents (specially the smart proxy) it generates 
certificate revoke. 

In order to remote the revoked certificate, I had to restart the puppet 
agent service and to sign it in master. Just to test the agent (in the 
smart proxy ) works, the certificate gets revoked again.

Do I have to stop the puppetmaster as well?

On Saturday, October 16, 2021 at 11:47:17 AM UTC-4 treydock wrote:

> If the key and the certificate don't match, you may have to regenerate 
> your puppetserver's CA and start from scratch essentially. I'm not aware of 
> a way to fix a mismatch without totally starting over from scratch.  If you 
> want to start from scratch, you usually just delete 
> /etc/puppetlabs/puppet/ssl on puppetserver (or move to like /tmp or 
> something) and restart daemon and puppetserver should regenerate everything.
>
> On Friday, October 15, 2021 at 12:57:23 PM UTC-4 puppet-bsd wrote:
>
>> Performed the Verify steps. Seems the values are not equal. Is there any 
>> steps in order to make the values equal?
>>
>>
>> On Friday, October 15, 2021 at 9:34:11 AM UTC-4 treydock wrote:
>>
>>> My advise might not be the best but it's what worked for me when our 
>>> master CA certificate expired.  These are my raw notes from when I had to 
>>> renew our puppetserver certificate. The original certificate was likely 
>>> Puppet 4 and expired when running Puppet 6.  I googled around and took some 
>>> steps from various blog posts I found so most of this isn't my original 
>>> ideas:
>>>
>>>  # Verify
>>>  cd /etc/puppetlabs/puppet/ssl/ca
>>>  ( openssl rsa -noout -modulus -in ca_key.pem  2> /dev/null | openssl 
>>> md5 ; openssl x509 -noout -modulus -in ca_crt.pem  2> /dev/null | openssl 
>>> md5 )
>>>  
>>>  # Generate new CSR
>>>  openssl x509 -x509toreq -in ca_crt.pem -signkey ca_key.pem -out 
>>> ca_csr.pem
>>>  
>>>  # Sign
>>>  cat > extension.cnf << EOF
>>>  [CA_extensions]
>>>  basicConstraints = critical,CA:TRUE
>>>  nsComment = "Puppet Ruby/OpenSSL Internal Certificate"
>>>  keyUsage = critical,keyCertSign,cRLSign
>>>  subjectKeyIdentifier = hash
>>>  EOF
>>>  cp ca_crt.pem ca_crt.pem.old
>>>  openssl x509 -req -days 3650 -in ca_csr.pem -signkey ca_key.pem -out 
>>> ca_crt.pem -extfile extension.cnf -extensions CA_extensions
>>>  openssl x509 -in ca_crt.pem -noout -text|grep -A 3 Validity
>>>  chown puppet: ./*
>>>  cd /etc/puppetlabs/puppet/ssl
>>>  cp -a ca/ca_crt.pem certs/ca.pem 
>>>  
>>>  # CLIENTS
>>>  
>>>  /opt/puppetlabs/bin/puppet resource file 
>>> /etc/puppetlabs/puppet/ssl/certs/ca.pem ensure=absent
>>>  /opt/puppetlabs/bin/puppet ssl download_cert
>>>  systemctl restart choria-server
>>>
>>> For expired client certs, when that happens to me I will do "rm -rf 
>>> /etc/puppetlabs/puppet/ssl" on the agent (never master) and then run Puppet 
>>> which will request new cert then sign the cert and run Puppet again.  That 
>>> process is rather tedious and not something I've automated really well but 
>>> also not something I have had happen frequently as we don't tend to keep 
>>> servers around for 5+ years.
>>>
>>> On Thursday, October 14, 2021 at 4:09:14 PM UTC-4 puppet-bsd wrote:
>>>
>>>>   Hi all,
>>>>
>>>> I'm new in puppet. 
>>>>
>>>> I'm currently using puppet 4.10
>>>>
>>>> Long story short, puppet certificates were expired and by this time, I 
>>>> am renewing these certificates one node at the time (including the 
>>>> puppetmaster). 
>>>>
>>>> Once the puppetmaster got "renewed" , I tried to create a node 
>>>> successfully but its first run of puppet agent -t got unsuccessful due to 
>>>> its related smart proxy server certificate for revoked. Performed a 
>>>> certificate renewal for the proxy and the new agent now runs fine.
>>>>
>>>> However, it always happens everytime I create a new node. In the past, 
>>>> I don't have to renew proxy certificates. That means that there is 
>>>> something/somewhere in puppetmaster that isn't caught up in terms of 
>>>> certificates.
>>>>
>>>> One try I made is to regenerate a new CA certificate but seems it isn't 
>>>> successful for the early described issue.
>>>>
>>>> Can anyone please point how to fix the certificate at the puppetmaster 
>>>> level? 
>>>>
>>>>

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/puppet-users/e518ba70-efba-4e52-a5c3-106ad2d04094n%40googlegroups.com.

Reply via email to