I have a problem I can''t figure out. I was having cert problems with a host - it seemed to have multiple host names (mot likely from dns changes in the past) and all the certs were valid. Although it was giving an error about a cert I could not identify. So I tried: puppetca --revoke hostname puppetca --clean hostname restart puppetmaster puppetca --list --all (host does not show up - good) On client re-issue puppetd --server puppet --waitforcert 30 --test Error is : err: Could not retrieve catalog: Certificates were not trusted: sslv3 alert certificate revoked So how do I get rid of it? I can''t find a cert anywhere with either a valid cert or revoked.. Did I do this wrong? How do you remove and re- add a host? thanks ~J~ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Apr 21, 2010, at 11:30 AM, Jewels wrote:> I have a problem I can''t figure out. I was having cert problems with a > host - it seemed to have multiple host names (mot likely from dns > changes in the past) and all the certs were valid. Although it was > giving an error about a cert I could not identify. So I tried: > > puppetca --revoke hostname > puppetca --clean hostname > > restart puppetmaster > > puppetca --list --all > (host does not show up - good) > > On client re-issue puppetd --server puppet --waitforcert 30 --test > > Error is : > > err: Could not retrieve catalog: Certificates were not trusted: sslv3 > alert certificate revoked > > So how do I get rid of it? I can''t find a cert anywhere with either a > valid cert or revoked.. Did I do this wrong? How do you remove and re- > add a host?My best guess is that you didn''t actually tell the client to get a new cert. A trivial (and overkill) way to do that is to wipe the puppet var directory on the CLIENT. It should be one of these. /var/puppet /var/lib/puppet /etc/puppet/var Just shutdown puppet, move the directory somewhere else, and see if that fixes it. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Wed, 21 Apr 2010, Jewels wrote:> puppetca --revoke hostname > puppetca --clean hostnameYou added the old cert''s serial number to a revocation list, and then removed the cert from puppetca. The cert might or might not still exist on the client.> On client re-issue puppetd --server puppet --waitforcert 30 --test > > Error is : > > err: Could not retrieve catalog: Certificates were not trusted: sslv3 > alert certificate revokedOK, the cert did still exist on the client; the client puppetd tried to use it, the server noticed that its serial number was in the revocation list, and the server refused to do anything more.> So how do I get rid of it? I can''t find a cert anywhere with either a > valid cert or revoked.. Did I do this wrong? How do you remove and re- > add a host?Stop puppetd, and rm -rf /etc/puppet/ssl on the client. Next time you start puppetd, it will generate a new key for itself, generate a new certificate signing request for that key, and send the request to the server. --apb (Alan Barrett) -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
That was it... I kept forgetting the client. So stupid. I kept thinking it was based on the server. My bad. THANK YOU FOR THE QUICK RESPONSE! I am back in operation again... Yay! -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Reasonably Related Threads
- puppetca unable to sign new certs - Invalid argument error
- certificate verify failed
- Could not request certificate: Certificate does not match private key
- Unable to generate certificate on Puppet Agent through Master
- err: Could not retrieve catalog from remote server: certificate verify failed