Puppet users - Jun 2013 - Agent revoked and reinstalled, now can't get server to see its new cert

I have a Ubuntu agent that I did all sorts of things to including revoking 
the cert. It was a master for awhile and I played with foreman on it. I 
then went through and apt-get purged all puppet related packages and 
cleaned out anything left in the file system that had the name
"puppet" in
it including puppet-common, did an apt-get autoremove.

After the cleanup I went to the master and did a ''puppet cert clean 
agent.name'' and checked ''puppet cert list --all'' to
be certain it wasn''t
present, stopped apache2 and made sure all master and passenger services 
were stopped. Restarted apache2. 

I went back to the agent, ''sudo apt-get install puppet'' and
''sudo puppet
agent -t''. It generated the new key using the name I''d expect
and cached
it, exiting with the message "no certificate found and waitforcert is 
disabled"

I can ping puppet and puppet.mydomain from the agent. It has the proper IP 
set in /etc/hosts. The master can also ping the agent using the appropriate 
name with and without domain.

I went into /var/lib/puppet/ssl/ca/inventory.txt and removed the reference 
to the agent. I confirmed nothing was in 
/var/lib/puppet/ssl/certificate_requests and this agent is not 
in /var/lib/puppet/ssl/ca/signed and ca/requests is empty.

I tried ''locate agentname'' and found nothing in the file
system.

I used tcpdump to confirm that when I run ''puppet agent -t'' on
the agent it
does talk to the master and the master talks back on port 8140.

If I run it as ''sudo puppet agent --server puppet.mydomain
--no-daemonize
--onetime --certname testagent.myotherdomain --waitforcert 60'', it 
dutifully creates a cert and waits while I go to the master and find 
nothing it the ''puppet cert list''. Every 60 seconds I see 17
packets of
info passed around.

What else can I do to get this agent back in the pen?

Thanks,
JSR/

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

I just tried adding another agent without the cruft of the past to the 
puppet master and am getting the same activity as I was with the previous 
note. The two interact with each other and then simply. I tried wiping out 
the puppet/ssl directory of the master and another agent, then running the 
master in debug and agent in --no-daemonize --debug and the agents with 
--waitforcert 60.

I keep seeing this in the master, but can only find information on what 
this means when it comes from the agent:

Info: Could not find certificate for ''agent1''
Info: Could not find certificate for ''agent2''
Info: Could not find certificate for ''agent3''

When I type ''sudo puppet cert list'' it still shows me nothing
to sign. When
I try that with --all, it only shows me its own cert.


On Thursday, June 13, 2013 3:40:02 PM UTC-4, Josiah Ritchie
wrote:
>
> I have a Ubuntu agent that I did all sorts of things to including revoking 
> the cert. It was a master for awhile and I played with foreman on it. I 
> then went through and apt-get purged all puppet related packages and 
> cleaned out anything left in the file system that had the name
"puppet" in
> it including puppet-common, did an apt-get autoremove.
>
> After the cleanup I went to the master and did a ''puppet cert
clean
> agent.name'' and checked ''puppet cert list --all''
to be certain it wasn''t
> present, stopped apache2 and made sure all master and passenger services 
> were stopped. Restarted apache2. 
>
> I went back to the agent, ''sudo apt-get install puppet''
and ''sudo puppet
> agent -t''. It generated the new key using the name I''d
expect and cached
> it, exiting with the message "no certificate found and waitforcert is 
> disabled"
>
> I can ping puppet and puppet.mydomain from the agent. It has the proper IP 
> set in /etc/hosts. The master can also ping the agent using the appropriate
> name with and without domain.
>
> I went into /var/lib/puppet/ssl/ca/inventory.txt and removed the reference 
> to the agent. I confirmed nothing was in 
> /var/lib/puppet/ssl/certificate_requests and this agent is not 
> in /var/lib/puppet/ssl/ca/signed and ca/requests is empty.
>
> I tried ''locate agentname'' and found nothing in the file
system.
>
> I used tcpdump to confirm that when I run ''puppet agent
-t'' on the agent
> it does talk to the master and the master talks back on port 8140.
>
> If I run it as ''sudo puppet agent --server puppet.mydomain
--no-daemonize
> --onetime --certname testagent.myotherdomain --waitforcert 60'', it
> dutifully creates a cert and waits while I go to the master and find 
> nothing it the ''puppet cert list''. Every 60 seconds I see
17 packets of
> info passed around.
>
> What else can I do to get this agent back in the pen?
>
> Thanks,
> JSR/
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Is this the behavior we covered in this other thread? 
https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/znlupoGbigM 
If an agent has an old file hanging around in certificate_requests, it will 
try to download a signed certificate without first asking to have one 
signed. 

On Friday, June 14, 2013 11:43:24 AM UTC-7, Josiah Ritchie
wrote:
>
> I just tried adding another agent without the cruft of the past to the 
> puppet master and am getting the same activity as I was with the previous 
> note. The two interact with each other and then simply. I tried wiping out 
> the puppet/ssl directory of the master and another agent, then running the 
> master in debug and agent in --no-daemonize --debug and the agents with 
> --waitforcert 60.
>
> I keep seeing this in the master, but can only find information on what 
> this means when it comes from the agent:
>
> Info: Could not find certificate for ''agent1''
> Info: Could not find certificate for ''agent2''
> Info: Could not find certificate for ''agent3''
>
> When I type ''sudo puppet cert list'' it still shows me
nothing to sign.
> When I try that with --all, it only shows me its own cert.
>
>
> On Thursday, June 13, 2013 3:40:02 PM UTC-4, Josiah Ritchie wrote:
>>
>> I have a Ubuntu agent that I did all sorts of things to including 
>> revoking the cert. It was a master for awhile and I played with foreman
on
>> it. I then went through and apt-get purged all puppet related packages
and
>> cleaned out anything left in the file system that had the name
"puppet" in
>> it including puppet-common, did an apt-get autoremove.
>>
>> After the cleanup I went to the master and did a ''puppet cert
clean
>> agent.name'' and checked ''puppet cert list
--all'' to be certain it wasn''t
>> present, stopped apache2 and made sure all master and passenger
services
>> were stopped. Restarted apache2. 
>>
>> I went back to the agent, ''sudo apt-get install
puppet'' and ''sudo puppet
>> agent -t''. It generated the new key using the name
I''d expect and cached
>> it, exiting with the message "no certificate found and waitforcert
is
>> disabled"
>>
>> I can ping puppet and puppet.mydomain from the agent. It has the proper
>> IP set in /etc/hosts. The master can also ping the agent using the 
>> appropriate name with and without domain.
>>
>> I went into /var/lib/puppet/ssl/ca/inventory.txt and removed the 
>> reference to the agent. I confirmed nothing was in 
>> /var/lib/puppet/ssl/certificate_requests and this agent is not 
>> in /var/lib/puppet/ssl/ca/signed and ca/requests is empty.
>>
>> I tried ''locate agentname'' and found nothing in the
file system.
>>
>> I used tcpdump to confirm that when I run ''puppet agent
-t'' on the agent
>> it does talk to the master and the master talks back on port 8140.
>>
>> If I run it as ''sudo puppet agent --server puppet.mydomain
--no-daemonize
>> --onetime --certname testagent.myotherdomain --waitforcert
60'', it
>> dutifully creates a cert and waits while I go to the master and find 
>> nothing it the ''puppet cert list''. Every 60 seconds I
see 17 packets of
>> info passed around.
>>
>> What else can I do to get this agent back in the pen?
>>
>> Thanks,
>> JSR/
>>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

No, I don''t have anything in the certificate_requests folder.

On Friday, June 14, 2013 4:49:04 PM UTC-4, Nick Fagerlund
wrote:
>
> Is this the behavior we covered in this other thread? 
>
https://groups.google.com/forum/?fromgroups=#!topic/puppet-users/znlupoGbigMIf
an agent has an old file hanging around in certificate_requests, it will
> try to download a signed certificate without first asking to have one 
> signed. 
>
> On Friday, June 14, 2013 11:43:24 AM UTC-7, Josiah Ritchie wrote:
>>
>> I just tried adding another agent without the cruft of the past to the 
>> puppet master and am getting the same activity as I was with the
previous
>> note. The two interact with each other and then simply. I tried wiping
out
>> the puppet/ssl directory of the master and another agent, then running
the
>> master in debug and agent in --no-daemonize --debug and the agents with
>> --waitforcert 60.
>>
>> I keep seeing this in the master, but can only find information on what
>> this means when it comes from the agent:
>>
>> Info: Could not find certificate for ''agent1''
>> Info: Could not find certificate for ''agent2''
>> Info: Could not find certificate for ''agent3''
>>
>> When I type ''sudo puppet cert list'' it still shows me
nothing to sign.
>> When I try that with --all, it only shows me its own cert.
>>
>>
>> On Thursday, June 13, 2013 3:40:02 PM UTC-4, Josiah Ritchie wrote:
>>>
>>> I have a Ubuntu agent that I did all sorts of things to including 
>>> revoking the cert. It was a master for awhile and I played with
foreman on
>>> it. I then went through and apt-get purged all puppet related
packages and
>>> cleaned out anything left in the file system that had the name
"puppet" in
>>> it including puppet-common, did an apt-get autoremove.
>>>
>>> After the cleanup I went to the master and did a ''puppet
cert clean
>>> agent.name'' and checked ''puppet cert list
--all'' to be certain it
>>> wasn''t present, stopped apache2 and made sure all master
and passenger
>>> services were stopped. Restarted apache2. 
>>>
>>> I went back to the agent, ''sudo apt-get install
puppet'' and ''sudo puppet
>>> agent -t''. It generated the new key using the name
I''d expect and cached
>>> it, exiting with the message "no certificate found and
waitforcert is
>>> disabled"
>>>
>>> I can ping puppet and puppet.mydomain from the agent. It has the
proper
>>> IP set in /etc/hosts. The master can also ping the agent using the 
>>> appropriate name with and without domain.
>>>
>>> I went into /var/lib/puppet/ssl/ca/inventory.txt and removed the 
>>> reference to the agent. I confirmed nothing was in 
>>> /var/lib/puppet/ssl/certificate_requests and this agent is not 
>>> in /var/lib/puppet/ssl/ca/signed and ca/requests is empty.
>>>
>>> I tried ''locate agentname'' and found nothing in
the file system.
>>>
>>> I used tcpdump to confirm that when I run ''puppet agent
-t'' on the agent
>>> it does talk to the master and the master talks back on port 8140.
>>>
>>> If I run it as ''sudo puppet agent --server puppet.mydomain
>>> --no-daemonize --onetime --certname testagent.myotherdomain
--waitforcert
>>> 60'', it dutifully creates a cert and waits while I go to
the master and
>>> find nothing it the ''puppet cert list''. Every 60
seconds I see 17 packets
>>> of info passed around.
>>>
>>> What else can I do to get this agent back in the pen?
>>>
>>> Thanks,
>>> JSR/
>>>
>>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.