On Oct 1, 2010, at 2:50 AM, Daniel Maher wrote: > On 09/30/2010 05:49 PM, Nan Liu wrote: >> On Thu, Sep 30, 2010 at 6:20 AM, Daniel Maher<d...@witbe.net> wrote: >>> I removed /var/lib/puppet/ssl/certs/<puppetmaster_fqdn>.pem , then ran >>> puppetd with --waitforcert<puppetmaster_fqdn>. Unfortunately, when i run a >>> puppetca --list --all ,<puppetmaster_fqdn> is not listed, even though there >>> is very clearly a request pem in /var/lib/puppet/ssl/certificate_requests . >> >> So first bbackup you ssl dir, then try the following command: >> >> puppetca --clean<puppetmaster_fqdn> >> puppetca --generate<puppetmaster_fqdn> --certdnsname="puppet;puppetmaster" >> >> In certdnsname, provide a list of DNS cname to puppet master, and >> include puppet for convenience. >> > > Thank you for the advice ; unfortunately, as i had already revoked the > certificate, cleaning and re-issuing was not a possibility. I ended up > biting the bullet and just wiping out and re-initialising the certificates > across the board. Thank god for clusterssh.
You can re-issue a certificate with the same name as a revoked certificate without any issues. You should never, ever have to wipe out certificates across the board. If you do this, there's a solution to the problem you've likely overlooked. > The moral of the story here, i suppose, is that /var/lib/puppet/ssl/ should > be backed up and set aside for every client (including the puppetmaster), and > that if certificates need to be re-issued from the ground-up, it's going to > be trouble. This, i suppose, is why some people opt to move to an external > certificate provider within their organisation - it's really not a bad idea. Again, you don't need to backup /var/lib/puppet/ssl on the clients, and in fact it's "best practice" from an SSL key management point of view not to do so because it fundamentally means copying the private keys somewhere else. Consider host "jeff" If I do puppetca --revoke jeff on the puppet ca, then ensure $cadir/certs/jeff.pem is not present on the ca, then wipe out $ssldir on the node "jeff" only (it's certificate is revoked and invalid), you'll be able to go through the certificate signing process just as if "jeff" were a brand new node unknown to puppet. > Finally, is "--certdnsname" documented anywhere ? In 0.25.5, at least, > puppetca --help doesn't mention it, and neither does the manpage. On the > puppet website, a search for "certdnsname" only leads to a reference in > Release_Notes. If you already know to search for it, google will give you > some hits from the mailing list, and some blogs, but you have to know to look > for it in the first place. :P certdnsnames (Note the plural form) is documented in the Configuration Reference at: http://docs.puppetlabs.com/references/stable/configuration.html#certdnsnames Hope this helps, -Jeff -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-us...@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
