Hi Nan, Thanks for that info! We have been rebuilding a set of servers frequently as part of our testing and using the clean/revoke function.
I can see that inventory.txt does in fact mention sitvhmnp161105 twice. [root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/lib/puppet/ssl/ca/ inventory.txt 0x00b6 2011-07-20T17:48:59GMT 2016-07-18T17:48:59GMT / CN=sitvhmnp161105.mambodev.local 0x029d 2011-07-27T04:23:30GMT 2016-07-25T04:23:30GMT / CN=sitvhmnp161105.mambodev.local However sitvhmnp161105 does not show like my other hosts in /var/lib/ puppet/ssl/ca/signed/ [root@sitvhmnp004201 ~]# ls /var/lib/puppet/ssl/ca/signed/ sitvhmnp16110* /var/lib/puppet/ssl/ca/signed/sitvhmnp161101.mambodev.local.pem /var/lib/puppet/ssl/ca/signed/sitvhmnp161102.mambodev.local.pem /var/lib/puppet/ssl/ca/signed/sitvhmnp161103.mambodev.local.pem /var/lib/puppet/ssl/ca/signed/sitvhmnp161104.mambodev.local.pem /var/lib/puppet/ssl/ca/signed/sitvhmnp161106.mambodev.local.pem Does this mean my inventory is out of sync with my certificates? What would be the best way to clean this up? Cheers, Josh On Jul 29, 7:40 pm, Nan Liu <n...@puppetlabs.com> wrote: > On Fri, Jul 29, 2011 at 2:38 AM, Josh <joshua.m.robe...@gmail.com> wrote: > > Just wondering if anyone had any similar issues OR idea's on > > troubleshooting the following problem. > > > I have a client/node registered to the puppet master and it is working > > without any issues. On the server I can see it compile the catalog in > > the logs. However when I run 'puppet cert --list --all' it is not in > > the list. Note we use auto signing (/etc/puppet/autosign.conf). > > > # Client Working > > [root@sitvhmnp161105 ~]# puppet agent --test > > info: Retrieving plugin > > info: Loading facts in systeminfo > > info: Loading facts in systeminfo > > info: Caching catalog for sitvhmnp161105.mambodev.local > > info: Applying configuration version '1311904488' > > notice: Finished catalog run in 1.31 seconds > > [root@sitvhmnp161105 ~]# > > > # Server Logs > > [root@sitvhmnp004201 ~]# grep sitvhmnp161105 /var/log/messages | tail > > -2 > > Jul 29 16:25:28 sitvhmnp004201 puppet-master[25611]: Compiled catalog > > for sitvhmnp161105.mambodev.local in environment production in 0.11 > > seconds > > Jul 29 16:34:47 sitvhmnp004201 puppet-master[25611]: Compiled catalog > > for sitvhmnp161105.mambodev.local in environment production in 0.10 > > seconds > > > # Certificate List > > [root@sitvhmnp004201 ~]# puppet cert list --all | grep -i > > sitvhmnp161105 > > [root@sitvhmnp004201 ~]# > > > I can see all my other hosts showing when using the puppet cert --list > > command. > > It is possible to have a working cert that doesn't appear in puppet > cert -la. A few possibilities: > Revoked and cleaned, but certificate CRL not honored. > Signed by another puppet master with the same CA. > Signed by the system, but the cert files were removed. > Since you are running puppet cert, I don't think it's an issue with > puppetca clean not revoking cert (old bug). > > Check your puppet master ssl directory and review your inventory.txt > and compare it against the certificate serial number of > sitvhmnp161105. If it's indeed signed by this puppet master CA, you > should have something matching: > > 0x0008 2011-07-12T22:20:37GMT 2016-07-10T22:20:37GMT /CN=sitvhmnp161105 > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 8 (0x8) > ... > Subject: CN=sitvhmnp161105 > > Thanks, > > Nan -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
