Puppet users - Oct 2013 - Issue retrieving new certificate on host after original certificate was revoked

Folks --

I am attempting to retrieve a new certificate on a Puppet client whose 
certificate was revoked on the Puppet master.

The original certificate was revoked using the command:

# puppet cert --revoke el5-puptest-2.localdomain


I have deleted the /var/lib/puppet/ssl directory on the client, and issued 
the following command:

# puppet agent --test --waitforcert=20


This produces the following result:

[root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20*
info: Creating a new SSL key for el5-puptest-3.localdomain
info: Caching certificate for ca
info: Creating a new SSL certificate request for el5-puptest-3.localdomain
info: Certificate Request fingerprint (md5): 
8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4
info: Caching certificate for el5-puptest-3.localdomain
notice: Ignoring --listen on onetime run
info: Retrieving plugin
info: Caching certificate_revocation_list for ca
err: /File[/var/lib/puppet/lib]: Failed to generate additional resources 
using ''eval_generate'': certificate verify failed
err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify 
failed Could not retrieve file metadata for 
puppet://rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed
err: Could not retrieve catalog from remote server: certificate verify 
failed
warning: Not using cache on failed catalog
err: Could not retrieve catalog; skipping run
err: Could not send report: certificate verify failed


I read elsewhere that these issues could be due to the Puppet master being 
configured with Apache / Passenger, and that sometimes a restart of Apache 
on the master is needed to resolve the trouble.  Despite issuing
''service
httpd restart'' on the Puppet master server, I''m still getting
the above
output.

Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL).

Any assistance is greatly needed and appreciated.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Additionally, I should add that the revoked certificate on the Puppet
master was also cleaned with the following command:

# puppet cert --clean el5-puptest-2.localdomain


And the issue persists as outlined above.

______________________
*J. Adam Craig*
UNIX Operating Systems Analyst
VCU Computer Center
804.828.4886

"Don''t be a phishing victim -- VCU and other reputable
organizations will
never use email to request that you reply with your password, social
security number or confidential personal information.  For more detauls,
visit http://infosecurity.vcu.edu/phishing.html"


On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig <jacraig@vcu.edu> wrote:
> Folks --
>
> I am attempting to retrieve a new certificate on a Puppet client whose
> certificate was revoked on the Puppet master.
>
> The original certificate was revoked using the command:
>
> # puppet cert --revoke el5-puptest-2.localdomain
>
>
> I have deleted the /var/lib/puppet/ssl directory on the client, and issued
> the following command:
>
> # puppet agent --test --waitforcert=20
>
>
> This produces the following result:
>
> [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20*
> info: Creating a new SSL key for el5-puptest-3.localdomain
> info: Caching certificate for ca
> info: Creating a new SSL certificate request for el5-puptest-3.localdomain
> info: Certificate Request fingerprint (md5):
> 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4
> info: Caching certificate for el5-puptest-3.localdomain
> notice: Ignoring --listen on onetime run
> info: Retrieving plugin
> info: Caching certificate_revocation_list for ca
> err: /File[/var/lib/puppet/lib]: Failed to generate additional resources
> using ''eval_generate'': certificate verify failed
> err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify
> failed Could not retrieve file metadata for puppet://
> rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed
> err: Could not retrieve catalog from remote server: certificate verify
> failed
> warning: Not using cache on failed catalog
> err: Could not retrieve catalog; skipping run
> err: Could not send report: certificate verify failed
>
>
> I read elsewhere that these issues could be due to the Puppet master being
> configured with Apache / Passenger, and that sometimes a restart of Apache
> on the master is needed to resolve the trouble.  Despite issuing
''service
> httpd restart'' on the Puppet master server, I''m still
getting the above
> output.
>
> Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from EPEL).
>
> Any assistance is greatly needed and appreciated.
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To unsubscribe from this group and stop receiving emails from it, send an
> email to puppet-users+unsubscribe@googlegroups.com.
> To post to this group, send email to puppet-users@googlegroups.com.
> Visit this group at http://groups.google.com/group/puppet-users.
> For more options, visit https://groups.google.com/groups/opt_out.
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.

Problem solved!  Solution was to add the following line to the
"[main]"
section of ''/etc/puppet/puppet.conf'' on the agent:

[main]
    ...
    certificate_revocation = false
    ...


-- Adam

______________________
*J. Adam Craig*
UNIX Operating Systems Analyst
VCU Computer Center
804.828.4886

"Don''t be a phishing victim -- VCU and other reputable
organizations will
never use email to request that you reply with your password, social
security number or confidential personal information.  For more detauls,
visit http://infosecurity.vcu.edu/phishing.html"


On Fri, Oct 4, 2013 at 9:49 AM, J. Adam Craig <jacraig@vcu.edu> wrote:
> Additionally, I should add that the revoked certificate on the Puppet
> master was also cleaned with the following command:
>
> # puppet cert --clean el5-puptest-2.localdomain
>
>
> And the issue persists as outlined above.
>
> ______________________
> *J. Adam Craig*
> UNIX Operating Systems Analyst
> VCU Computer Center
> 804.828.4886
>
> "Don''t be a phishing victim -- VCU and other reputable
organizations will
> never use email to request that you reply with your password, social
> security number or confidential personal information.  For more detauls,
> visit http://infosecurity.vcu.edu/phishing.html"
>
>
> On Fri, Oct 4, 2013 at 9:43 AM, J. Adam Craig <jacraig@vcu.edu>
wrote:
>
>> Folks --
>>
>> I am attempting to retrieve a new certificate on a Puppet client whose
>> certificate was revoked on the Puppet master.
>>
>> The original certificate was revoked using the command:
>>
>> # puppet cert --revoke el5-puptest-2.localdomain
>>
>>
>> I have deleted the /var/lib/puppet/ssl directory on the client, and
>> issued the following command:
>>
>> # puppet agent --test --waitforcert=20
>>
>>
>> This produces the following result:
>>
>> [root@el5-puptest-3 ~]# *puppet agent --test --waitforcert=20*
>> info: Creating a new SSL key for el5-puptest-3.localdomain
>> info: Caching certificate for ca
>> info: Creating a new SSL certificate request for
el5-puptest-3.localdomain
>> info: Certificate Request fingerprint (md5):
>> 8E:F4:C6:25:17:7F:46:91:F6:D3:45:FB:F5:63:19:B4
>> info: Caching certificate for el5-puptest-3.localdomain
>> notice: Ignoring --listen on onetime run
>> info: Retrieving plugin
>> info: Caching certificate_revocation_list for ca
>> err: /File[/var/lib/puppet/lib]: Failed to generate additional
resources
>> using ''eval_generate'': certificate verify failed
>> err: /File[/var/lib/puppet/lib]: Could not evaluate: certificate verify
>> failed Could not retrieve file metadata for puppet://
>> rhel-vm-test-6a.ucc.vcu.edu/plugins: certificate verify failed
>> err: Could not retrieve catalog from remote server: certificate verify
>> failed
>> warning: Not using cache on failed catalog
>> err: Could not retrieve catalog; skipping run
>> err: Could not send report: certificate verify failed
>>
>>
>> I read elsewhere that these issues could be due to the Puppet master
>> being configured with Apache / Passenger, and that sometimes a restart
of
>> Apache on the master is needed to resolve the trouble.  Despite issuing
>> ''service httpd restart'' on the Puppet master server,
I''m still getting the
>> above output.
>>
>> Both the Puppet agent and Puppet master is ver. 2.6.18-3.el6 (from
EPEL).
>>
>> Any assistance is greatly needed and appreciated.
>>
>> --
>> You received this message because you are subscribed to the Google
Groups
>> "Puppet Users" group.
>> To unsubscribe from this group and stop receiving emails from it, send
an
>> email to puppet-users+unsubscribe@googlegroups.com.
>> To post to this group, send email to puppet-users@googlegroups.com.
>> Visit this group at http://groups.google.com/group/puppet-users.
>> For more options, visit https://groups.google.com/groups/opt_out.
>>
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscribe@googlegroups.com.
To post to this group, send email to puppet-users@googlegroups.com.
Visit this group at http://groups.google.com/group/puppet-users.
For more options, visit https://groups.google.com/groups/opt_out.