How to reject certificate request on Puppet Master?

puppet

Using ca works better, and can remove a certificate in a single step unlike cert. Importantly, it doesn't make you temporarily sign an invalid certificate.

$ puppet ca destroy wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'
Deleted for wrong.host.name: Puppet::SSL::CertificateRequest

The puppet ca command has recently been deprecated so at some point it may go away, but there's no equivalent command. There is a bug filed, which you could vote for if you think it's a bit silly to remove this command with no replacement.


Possible Solution 1:

Using the puppet cert clean on the puppet master is the proper way. However since you're getting errors you may have a bad inventory of certificates.

Try doing a re-inventory then a clean:

$ puppet cert reinventory
$ puppet cert clean --all

Note: my example uses the --all flag, this will clear out all certificates, signed and unsigned. Also, be aware that the Puppet master should be stopped before running a reinventory.

Source: http://docs.puppetlabs.com/references/3.6.2/man/cert.html

Possible Solution 2:

$ puppet cert sign wrong.host.name
Notice: Signed certificate request for wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'

$ puppet cert clean wrong.host.name
Notice: Revoked certificate with serial 87
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/ca/signed/wrong.host.name.pem'
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/certs/wrong.host.name.pem'

Possible Solution 3:

First: On Server

$ puppet cert --revoke wrong.host.name
$ puppet cert --clean wrong.host.name

Second: On Client

$ rm -rf /usr/lib/puppet/ssl
$ puppet agent --server [puppetmaster domain name] --waitforcert 60

Third: On Server (adjust as necessary)

$ puppet cert --list (you should see your host)
$ puppet cert --sign wrong.host.name

Also, double check that your client can reach your [puppetmaster domain name].

Source: https://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi


Here is how I did

[root@puppetmc ca]# puppet cert clean sparrow.home
Error: Could not find a serial number for sparrow.home
[root@puppetmc ca]# cat inventory.txt 
0x0002 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=puppetmc.home
0x0003 2015-05-17T23:25:33GMT 2020-05-16T23:25:33GMT /CN=sparrow.rospop.com
0x0004 2015-05-18T00:53:18GMT 2020-05-17T00:53:18GMT /CN=puppetmc.home
0x0005 2015-05-18T02:18:12GMT 2020-05-17T02:18:12GMT /CN=sparrow.rospop.com
[root@puppetmc ca]# vi  inventory.txt

added the line below to inventory.txt:

0x0001 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=sparrow.home

then run

[root@puppetmc ca]# puppet cert clean sparrow.home
Notice: Revoked certificate with serial 1
Notice: Removing file Puppet::SSL::CertificateRequest sparrow.home at '/var/lib/puppet/ssl/ca/requests/sparrow.home.pem'
Vince Bhebhe

Related

Use gpg2 as gpg replacement OSX
"Private" MAC Address
pip not working on hombrew python 2.7 install
In Windows 10, is there a command similar to wuapp.exe that will launch the Windows Update GUI?
Windows 10 SSH client: password-less access
What specifically changes in the Windows environment when opening the control alt delete menu?
Copy all files and folders excluding subversion files and folders on OS X
Mac OS X keyboard shortcut to switch between windows [duplicate]
check if my ethernet controller supports gigabit Ethernet
Google Chrome and Firefox cache in Ubuntu?
Is there any way to limit FFmpeg’s memory usage?
How incoming traffic pass through a port with no port forwarding in home router