Re: [Puppet Users] certificate problem ; puppetca can't find cert request ?

Fri, 01 Oct 2010 02:50:47 -0700 

On 09/30/2010 05:49 PM, Nan Liu wrote:

On Thu, Sep 30, 2010 at 6:20 AM, Daniel Maher<d...@witbe.net>  wrote:

I removed /var/lib/puppet/ssl/certs/<puppetmaster_fqdn>.pem , then ran
puppetd with --waitforcert<puppetmaster_fqdn>.  Unfortunately, when i run a
puppetca --list --all ,<puppetmaster_fqdn>  is not listed, even though there
is very clearly a request pem in /var/lib/puppet/ssl/certificate_requests .


So first bbackup you ssl dir, then try the following command:

puppetca --clean<puppetmaster_fqdn>
puppetca --generate<puppetmaster_fqdn>  --certdnsname="puppet;puppetmaster"

In certdnsname, provide a list of DNS cname to puppet master, and
include puppet for convenience.




Thank you for the advice ; unfortunately, as i had already revoked the 
certificate, cleaning and re-issuing was not a possibility.  I ended up 
biting the bullet and just wiping out and re-initialising the 
certificates across the board.  Thank god for clusterssh.



The moral of the story here, i suppose, is that /var/lib/puppet/ssl/ 
should be backed up and set aside for every client (including the 
puppetmaster), and that if certificates need to be re-issued from the 
ground-up, it's going to be trouble.  This, i suppose, is why some 
people opt to move to an external certificate provider within their 
organisation - it's really not a bad idea.



Finally, is "--certdnsname" documented anywhere ?  In 0.25.5, at least, 
puppetca --help doesn't mention it, and neither does the manpage.  On 
the puppet website, a search for "certdnsname" only leads to a reference 
in Release_Notes.  If you already know to search for it, google will 
give you some hits from the mailing list, and some blogs, but you have 
to know to look for it in the first place. :P


Thanks again.

--
Daniel Maher <dma AT witbe DOT net>
"The Internet is completely over." -- Prince

--
You received this message because you are subscribed to the Google Groups "Puppet 
Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.























					Reply via email to