I need to regenerate my security certificates between my master and agents. Approaching it from one agent at a time, I ran `puppet cert clean "puppetagent"` on the master.
Then, on the agent, I removed the ssl directory with `rm -rf /etc/puppetlabs/puppet/ssl`
Next, I ran `puppet agent -t` and got the following, expected, output:
Info: Creating a new SSL key for puppetagent
Info: Caching certificate for ca
Info: csr_attributes file loading from /etc/puppetlabs/puppet/csr_attributes.yaml
Info: Creating a new SSL certificate request for puppetagent
Info: Certificate Request fingerprint (SHA256): [CERTIFICATE FINGERPRINT]
Info: Caching certificate for ca
Exiting; no certificate found and waitforcert is disabled
Back on the master, I ran `puppet cert list --all` and got again what I expected:
"puppetagent" (SHA256) [SAME CERTIFICATE FINGERPRINT]
So I signed the cert with `puppet cert sign "puppetagent"`
Notice: Signed certificate request for puppetagent
Notice: Removing file Puppet::SSL::CertificateRequest puppetagent at '/etc/puppetlabs/puppet/ssl/ca/requests/puppetagent.pem'
This should be all there is to it, but when I try to run the agent on the agent again, I get this:
Info: Caching certificate for puppetagent
Info: Caching certificate_revocation_list for ca
Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [certificate revoked for /CN=puppetmaster]
Exiting; failed to retrieve certificate and waitforcert is disabled
(Where "puppetmaster" is the hostname of my puppetmaster, naturally.)
What step am I missing to completely regenerate the certificates?
↧