How to reject certificate request on Puppet Master?

I have some requests from agents that had bad hostnames. I've corrected this, but still have the outstanding requests with the bad hostnames.

I tried:

$puppet cert list
  "wrong.host.name" (SHA256) 8E:...:51

$ puppet cert revoke wrong.host.name
Error: Could not find a serial number for wrong.host.name

$ puppet cert clean wrong.host.name
Error: Could not find a serial number for wrong.host.name

What's the proper way to get rid of them?

puppet

Louis

Posted 2014-07-17T17:14:25.697

Reputation: 18 859

Answers

Using ca works better, and can remove a certificate in a single step unlike cert. Importantly, it doesn't make you temporarily sign an invalid certificate.

$ puppet ca destroy wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'
Deleted for wrong.host.name: Puppet::SSL::CertificateRequest

The puppet ca command has recently been deprecated so at some point it may go away, but there's no equivalent command. There is a bug filed, which you could vote for if you think it's a bit silly to remove this command with no replacement.

Nick

Posted 2014-07-17T17:14:25.697

Reputation: 950

This is the right answer. All of the instructions given by the accepted answer either do not work or require you to sign certificates you know to be bad. – tedivm – 2015-04-08T21:01:50.257

What @tedivm said. Therefore: +1. – gf_ – 2016-07-19T09:51:11.630

This works, but it got marked as deprecated. Anyone know what the new method is? – Swiss – 2017-04-11T22:41:45.827

@Swiss do you have a link to some docs showing it's deprecated? – Nick – 2017-04-16T16:23:18.730

@Nick When running it:

(at /opt/puppetlabs/puppet/lib/ruby/vendor_ruby/puppet/application/face_base.rb:249:in `main') – Swiss – 2017-04-17T20:38:06.880

@Swiss Ah yes - can see they did this code change in January - https://github.com/puppetlabs/puppet/commit/3692abf65707b8b305f2817527511b9521313fdc - Not clear what replaces ca destroy though!

– Nick – 2017-04-18T13:36:01.197

1puppet cert clean now works to remove requests. See the linked bug report. – 7yl4r – 2018-09-11T17:09:39.433

Possible Solution 1:

Using the puppet cert clean on the puppet master is the proper way. However since you're getting errors you may have a bad inventory of certificates.

Try doing a re-inventory then a clean:

$ puppet cert reinventory
$ puppet cert clean --all

Note: my example uses the --all flag, this will clear out all certificates, signed and unsigned. Also, be aware that the Puppet master should be stopped before running a reinventory.

Source: http://docs.puppetlabs.com/references/3.6.2/man/cert.html

Possible Solution 2:

$ puppet cert sign wrong.host.name
Notice: Signed certificate request for wrong.host.name
Notice: Removing file Puppet::SSL::CertificateRequest wrong.host.name at '/var/lib/puppet/ssl/ca/requests/wrong.host.name.pem'

$ puppet cert clean wrong.host.name
Notice: Revoked certificate with serial 87
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/ca/signed/wrong.host.name.pem'
Notice: Removing file Puppet::SSL::Certificate wrong.host.name at '/var/lib/puppet/ssl/certs/wrong.host.name.pem'

Possible Solution 3:

First: On Server

$ puppet cert --revoke wrong.host.name
$ puppet cert --clean wrong.host.name

Second: On Client

$ rm -rf /usr/lib/puppet/ssl
$ puppet agent --server [puppetmaster domain name] --waitforcert 60

Third: On Server (adjust as necessary)

$ puppet cert --list (you should see your host)
$ puppet cert --sign wrong.host.name

Also, double check that your client can reach your [puppetmaster domain name].

Source: https://serverfault.com/questions/574976/puppet-trying-to-configure-puppet-client-for-first-use-but-got-some-problems-wi

tbenz9

Posted 2014-07-17T17:14:25.697

Reputation: 5 868

Thanks, I tried reinventory and then clean wrong.host.name because I don't want to revoke the good certs too, but I still get the serial number error. – Louis – 2014-07-17T17:40:06.373

Good catch on the --all. I just added an update that is worth a shot. – tbenz9 – 2014-07-17T17:46:45.597

Great, after doing puppet cert sign wrong.host.name using clean works. Seems wrong that I have to sign it first though. – Louis – 2014-07-17T17:48:19.963

1Also don't forget to restart the puppet master service after cleaning any certificates. – Robert Fey – 2015-04-02T19:25:19.660

1FYI, the other answer is much better than this one. If you follow OPs advice you're going to run commands that don't work (such as the clean command) or you're going to sign certificates that you know are bad. If you follow the advice below and simply use puppet ca destroy wrong.host.name you don't have to introduce security risks to your infrastructure. – tedivm – 2015-04-08T21:03:10.603

@RobertFey: Why would u restart puppet master service after cleaning up ? I don't see any need. – Napster_X – 2016-12-18T07:21:19.610

@GeekRide I remember having to do that for it to pick up all changes. It is possible that it is not needed anymore. – Robert Fey – 2016-12-18T08:59:46.173

Here is how I did

[root@puppetmc ca]# puppet cert clean sparrow.home
Error: Could not find a serial number for sparrow.home
[root@puppetmc ca]# cat inventory.txt 
0x0002 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=puppetmc.home
0x0003 2015-05-17T23:25:33GMT 2020-05-16T23:25:33GMT /CN=sparrow.rospop.com
0x0004 2015-05-18T00:53:18GMT 2020-05-17T00:53:18GMT /CN=puppetmc.home
0x0005 2015-05-18T02:18:12GMT 2020-05-17T02:18:12GMT /CN=sparrow.rospop.com
[root@puppetmc ca]# vi  inventory.txt

added the line below to inventory.txt:

0x0001 2015-05-17T06:33:29GMT 2020-05-16T06:33:29GMT /CN=sparrow.home

then run

[root@puppetmc ca]# puppet cert clean sparrow.home
Notice: Revoked certificate with serial 1
Notice: Removing file Puppet::SSL::CertificateRequest sparrow.home at '/var/lib/puppet/ssl/ca/requests/sparrow.home.pem'
Vince Bhebhe

lowlysquib

Posted 2014-07-17T17:14:25.697

Reputation: 21