Tuesday, January 10, 2012

Force puppet agent to regenerate certificate request

If puppet agent’s certificate is accidentally revoked or deleted, you can force agent to regenerate certificate request.

In general, it is impossible un-revoke a certificate unless the revoke reason is certificateHold, But puppet can hack it. The solution is to recover all revoked certificates then revoke other certificates which don’t need to be recovered
$rm /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
$rm /etc/puppetlabs/puppet/ssl/crl.pem
#At this point, all revoked certificates become valid certificates.
#So you need to revoke all certificates which don’t need to be recovered
$puppet cert --revoke foo
The following method of regenerating new certificate seems to be a better.


The following is tested in Puppet Enterprise 2, but it should work for puppet open source as well.
$ puppet --version
2.7.6 (Puppet Enterprise 2.0.0)
Force agent to regenerate certificate request by generate command
[puppet agent]$ puppet  certificate   generate    web1  --ca-location  remote
warning: peer certificate won't be verified in this SSL session
err: Error 400 on SERVER: web1 already has a revoked certificate; ignoring certificate request
err: Try 'puppet help certificate generate' for usage
#It because the revoked certificate still exist in the server, it need to be deleted
[puppet master]$ puppet cert list –all
- web1                                     (BA:18:D1:86:D6:5E:9E:99:55:39:3D:67:79:BF:BD:D0) (certificate revoked)
[puppet master]$ puppet cert clean web1
#re-run the command, the warning is expected because the request hasn’t been signed by master yet
[puppet agent]$puppet   certificate   generate    web1  --ca-location  remote
warning: peer certificate won't be verified in this SSL session
true
#The pending request appears in master 
[puppet master]$ puppet cert list
web1 (3B:ED:D9:8D:2F:C2:A1:D3:89:B4:D0:FD:41:7E:5E:0C)
#Sign the certificate
[puppet master]# puppet cert sign web1
If the above doesn’t work for you, the last resort is to clean agent’s ssl files
[puppet agent]$ puppet --genconfig | grep certdir
certdir = /etc/puppetlabs/puppet/ssl/certs
$cd /etc/puppetlabs/puppet/ssl/
$find . –type f –exec rm {} \;
$service pe-puppet restart
[puppet master]$ puppet cert list
web1 (3B:ED:D9:8D:2F:C2:A1:D3:89:B4:D0:FD:41:7E:5E:0C)
#Sign the certificate
puppet master]# puppet cert sign web1

14 comments:

  1. Awesome! and bookmarked!!

    Thanks!

    -wrecks

    ReplyDelete
  2. We have about 20 revoked certs, which no one here would've revoked deliberately (most people don't even know, how). Does Puppet revoke agent-certificates automatically in certain circumstances?

    ReplyDelete
  3. very nice blogs!!! i have to learning for lot of information for this sites...Sharing for wonderful information. AWS Training in chennai | AWS Training chennai | AWS course in chennai

    ReplyDelete
  4. Thanks for sharing this valuable information to our vision. You have posted a trust worthy blog keep sharing. Phonegap training in chennai | Phonegap training chennai


    ReplyDelete
  5. This comment has been removed by the author.

    ReplyDelete
  6. Finding the time and actual effort to create a superb article like this is great thing. I’ll learn many new stuff right here! Good luck for the next post buddy..
    AWS Training in Chennai

    ReplyDelete
  7. It is amazing and wonderful to visit your site.Thanks for sharing this information,this is useful to me...
    Android Training in Chennai
    Ios Training in Chennai

    ReplyDelete
  8. Thank you for taking the time and sharing this information with us. It was indeed very helpful and insightful while being straight forward and to the point.
    mcdonaldsgutscheine | startlr | saludlimpia

    ReplyDelete
  9. Needed to compose you a very little word to thank you yet again regarding the nice suggestions you’ve contributed here.

    aws training in chennai

    advanced aws training in chennai

    ReplyDelete
  10. I am definitely enjoying your website. You definitely have some great insight and great stories. 
    Click here:
    Microsoft azure training in chennai
    Click here:
    Microsoft azure training in online

    ReplyDelete
  11. Really great post, I simply unearthed your site and needed to say that I have truly appreciated perusing your blog entries. I want to say thanks for great sharing.
    Click here:
    angularjs training in bangalore
    Click here:
    angularjs training in pune

    ReplyDelete
  12. Thanks for the good words! Really appreciated. Great post. I’ve been commenting a lot on a few blogs recently, but I hadn’t thought about my approach until you brought it up. 

    Blueprism training in annanagar

    Blueprism training in velachery

    Blueprism training in marathahalli


    AWS Training in chennai

    AWS Training in bangalore

    ReplyDelete
  13. Good Post! Thank you so much for sharing this pretty post, it was so good to read and useful to improve my knowledge as updated one, keep blogging.
    Devops training in tambaram|Devops training in velachery|Devops training in annanagar|Devops training in sholinganallur

    ReplyDelete