Re: [Puppet Users] Odd SSL issue - host not showing with puppet cert --list --all

Fri, 29 Jul 2011 02:40:56 -0700 

On Fri, Jul 29, 2011 at 2:38 AM, Josh <joshua.m.robe...@gmail.com> wrote:
> Just wondering if anyone had any similar issues OR idea's on
> troubleshooting the following problem.
>
> I have a client/node registered to the puppet master and it is working
> without any issues. On the server I can see it compile the catalog in
> the logs. However when I run 'puppet cert --list --all' it is not in
> the list. Note we use auto signing (/etc/puppet/autosign.conf).
>
> # Client Working
> [root@sitvhmnp161105 ~]# puppet agent --test
> info: Retrieving plugin
> info: Loading facts in systeminfo
> info: Loading facts in systeminfo
> info: Caching catalog for sitvhmnp161105.mambodev.local
> info: Applying configuration version '1311904488'
> notice: Finished catalog run in 1.31 seconds
> [root@sitvhmnp161105 ~]#
>
> # Server Logs
> [root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/log/messages | tail
> -2
> Jul 29 16:25:28 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> for sitvhmnp161105.mambodev.local in environment production in 0.11
> seconds
> Jul 29 16:34:47 sitvhmnp004201 puppet-master[25611]: Compiled catalog
> for sitvhmnp161105.mambodev.local in environment production in 0.10
> seconds
>
> # Certificate List
> [root@sitvhmnp004201 ~]# puppet cert list --all | grep -i
> sitvhmnp161105
> [root@sitvhmnp004201 ~]#
>
> I can see all my other hosts showing when using the puppet cert --list
> command.

It is possible to have a working cert that doesn't appear in puppet
cert -la. A few possibilities:
Revoked and cleaned, but certificate CRL not honored.
Signed by another puppet master with the same CA.
Signed by the system, but the cert files were removed.
Since you are running puppet cert, I don't think it's an issue with
puppetca clean not revoking cert (old bug).

Check your puppet master ssl directory and review your inventory.txt
and compare it against the certificate serial number of
sitvhmnp161105. If it's indeed signed by this puppet master CA, you
should have something matching:

0x0008 2011-07-12T22:20:37GMT 2016-07-10T22:20:37GMT /CN=sitvhmnp161105

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 8 (0x8)
...
        Subject: CN=sitvhmnp161105

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to