Yes, this is a known bug, and we do already have a ticket for it, https://tickets.puppetlabs.com/browse/SERVER-2451. We are planning a round of improvements and bug fixes for the `puppetserver ca` CLI, and this is high on the list.
I'm glad you found a workaround. Since the CLI tool is shipped as a gem, if you would like to continue using the new CLI once this has been fixed, you can update just the gem out of band using /opt/puppetlabs/puppet/bin/gem install -i /opt/puppetlabs/puppet/lib/ruby/vendor_gems puppetserver-ca On Fri, May 24, 2019 at 7:41 AM Karsten Heymann <karsten.heym...@gmail.com> wrote: > Addition: > > 'puppet cert clean <someclient>' still works. So this looks very much like > a regression introduced by the switch from puppet to puppetserver for > certificate handling. @Puppetlabs people: Should I open a jira ticket for > this? > > Best regards > Karsten > > Am Freitag, 24. Mai 2019 14:29:31 UTC+2 schrieb Karsten Heymann: >> >> Hi everyone, >> >> I have a question: Is the puppetserver expected to honor the srv >> records to find the puppet ca server? We have the problem that since >> switching our puppet server detection from explicit settings in the >> puppet.conf-File to srv records, we cannot remove certificates from >> puppetserver any more and get the following error: >> >> root@<puppetmaster>:~# puppetserver ca clean --certname <some-client> >> [... long delay ...] >> Fatal error when running action 'clean' >> Error: Failed connecting to >> https://puppet:8140/puppet-ca/v1/certificate_status/ >> Root cause: execution expired >> >> We use a non-standard name for our puppet/puppetca host, and have that >> correctly (I hope so set up) in the DNS: >> >> # dig +short -t SRV _x-puppet-ca._tcp.<our-domain> >> 10 0 8140 <our puppet-ca-server>. >> >> The relevant puppet config looks like this: >> >> # grep -e ^\\[ -e srv -e ca /etc/puppetlabs/puppet/puppet.conf >> [main] >> srv_domain = mip-platform.net >> use_srv_records = true >> vardir = /opt/puppetlabs/puppet/cache >> [agent] >> localconfig = $vardir/localconfig >> usecacheonfailure = true >> [master] >> ca = true >> >> We are using puppet/pupperserver 5: >> >> # puppetserver --version >> puppetserver version: 5.3.8 >> root@puppet-b1-01:~# puppet --version >> 5.5.14 >> >> Any hints would be greatly appreciated! >> >> Best regards >> Karsten >> > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to puppet-users+unsubscr...@googlegroups.com. > To view this discussion on the web visit > https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com > <https://groups.google.com/d/msgid/puppet-users/2ef8b5aa-7093-42ff-9999-c8c69bea9ad9%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CAMstjg3DhKdo3gw1Px8jZJ335PDVoxBGXEFxt8%3DxZ0btXk_8qw%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
