FAQ
Hi,

I've got some certificate requests on my puppet master that I wish to
remove. It looks like the "puppet cert" tool doesn't have an option for
doing that? What's the best approach, just manually remove them from the
puppet/ssl/ca/requests directory?

Tim.

--
Tim Bishop
http://www.bishnet.net/tim/
PGP Key: 0x5AE7D984

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

Search Discussions

  • Ellison Marks at Dec 14, 2012 at 6:33 pm
    Does puppet cert clean not do it?
    On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:

    Hi,

    I've got some certificate requests on my puppet master that I wish to
    remove. It looks like the "puppet cert" tool doesn't have an option for
    doing that? What's the best approach, just manually remove them from the
    puppet/ssl/ca/requests directory?

    Tim.

    --
    Tim Bishop
    http://www.bishnet.net/tim/
    PGP Key: 0x5AE7D984
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/e1VMHaXf9msJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tim Bishop at Dec 14, 2012 at 9:15 pm
    Nope:

    puppetmaster# puppet cert list
       "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28

    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664

    Looks like it only cleans signed certificates, not requests.

    Tim.
    On Fri, Dec 14, 2012 at 10:33:30AM -0800, Ellison Marks wrote:
    Does puppet cert clean not do it?
    On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:
    I've got some certificate requests on my puppet master that I wish
    to remove. It looks like the "puppet cert" tool doesn't have an
    option for doing that? What's the best approach, just manually
    remove them from the puppet/ssl/ca/requests directory?
    --
    Tim Bishop
    http://www.bishnet.net/tim/
    PGP Key: 0x5AE7D984

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Ellison Marks at Dec 15, 2012 at 12:53 am
    You might try puppet cert print to get more info about the thing, but out
    of curiosity, how did it get on your master in the first place?
    On Friday, December 14, 2012 1:14:54 PM UTC-8, Tim Bishop wrote:

    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256)
    FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28


    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664

    Looks like it only cleans signed certificates, not requests.

    Tim.
    On Fri, Dec 14, 2012 at 10:33:30AM -0800, Ellison Marks wrote:
    Does puppet cert clean not do it?
    On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:
    I've got some certificate requests on my puppet master that I wish
    to remove. It looks like the "puppet cert" tool doesn't have an
    option for doing that? What's the best approach, just manually
    remove them from the puppet/ssl/ca/requests directory?
    --
    Tim Bishop
    http://www.bishnet.net/tim/
    PGP Key: 0x5AE7D984
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To view this discussion on the web visit https://groups.google.com/d/msg/puppet-users/-/NQ1uGMrGGNwJ.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Tim Bishop at Dec 15, 2012 at 12:17 pm
    I've been testing Razor and ended up with a bunch of requests from test
    machines that I didn't sign and didn't need any more.

    "puppet cert print" again fails because there's no certificate, only a
    request.

    Anyway, to answer my own question, I just needed to remove the requests
    from the puppet/ssl/ca/requests directory.

    Tim.
    On Fri, Dec 14, 2012 at 04:53:42PM -0800, Ellison Marks wrote:
    You might try puppet cert print to get more info about the thing, but
    out of curiosity, how did it get on your master in the first place?
    On Friday, December 14, 2012 1:14:54 PM UTC-8, Tim Bishop wrote:
    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28

    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664

    Looks like it only cleans signed certificates, not requests.
    On Fri, Dec 14, 2012 at 10:33:30AM -0800, Ellison Marks wrote:
    Does puppet cert clean not do it?
    On Friday, December 14, 2012 9:43:12 AM UTC-8, Tim Bishop wrote:
    I've got some certificate requests on my puppet master that I
    wish to remove. It looks like the "puppet cert" tool doesn't
    have an option for doing that? What's the best approach, just
    manually remove them from the puppet/ssl/ca/requests directory?
    --
    Tim Bishop
    http://www.bishnet.net/tim/
    PGP Key: 0x5AE7D984

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Calvin Walton at Dec 21, 2012 at 8:58 pm

    On Fri, 2012-12-14 at 21:14 +0000, Tim Bishop wrote:
    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256) FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28

    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for fb311ff01c6f0130b650005056bc6664

    Looks like it only cleans signed certificates, not requests.
    I think this is actually a bug, has any one reported it on the issue
    tracking system yet?

    'puppet cert clean' used to work to clean unsigned certificates in
    puppet 2.7, but no longer does in 3.0

    --
    Calvin Walton <calvin.walton@kepstin.ca>

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To post to this group, send email to puppet-users@googlegroups.com.
    To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com.
    For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
  • Bass D'Phar at Aug 27, 2013 at 2:31 pm
    Hi.

    A workaround that does the job:
    puppetmaster# puppet cert sign fb311ff01c6f0130b650005056bc6664 ; puppet
    cert clean fb311ff01c6f0130b650005056bc6664

    --
    Jan Møller

    Den fredag den 21. december 2012 21.59.49 UTC+1 skrev Calvin Walton:
    On Fri, 2012-12-14 at 21:14 +0000, Tim Bishop wrote:
    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256)
    FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for
    fb311ff01c6f0130b650005056bc6664
    Looks like it only cleans signed certificates, not requests.
    I think this is actually a bug, has any one reported it on the issue
    tracking system yet?

    'puppet cert clean' used to work to clean unsigned certificates in
    puppet 2.7, but no longer does in 3.0

    --
    Calvin Walton <calvin...@kepstin.ca <javascript:>>
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To post to this group, send email to puppet-users@googlegroups.com.
    Visit this group at http://groups.google.com/group/puppet-users.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Robert Buchholz at Mar 11, 2014 at 4:26 pm

    On Friday, December 21, 2012 9:59:49 PM UTC+1, Calvin Walton wrote:
    On Fri, 2012-12-14 at 21:14 +0000, Tim Bishop wrote:
    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256)
    FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for
    fb311ff01c6f0130b650005056bc6664
    Looks like it only cleans signed certificates, not requests.
    I think this is actually a bug, has any one reported it on the issue
    tracking system yet?

    'puppet cert clean' used to work to clean unsigned certificates in
    puppet 2.7, but no longer does in 3.0
    I could not find any issue yet, so I have created
    https://tickets.puppetlabs.com/browse/PUP-1916


    Cheers,

    Robert

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/8f7d4138-d157-46e1-b557-0f82d8cb8678%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Leon Springer at Apr 7, 2014 at 5:41 pm
    I created a quick script to workaround the issue until the bug is fixed.
    Replace the grep with the host(s) you want to target.
    -------
    #!/bin/bash

    for OUTPUT in $(puppet cert list | awk '{FS=" ";print $1;}' | sed -e
    's/^"//' -e 's/"$//'| grep -i hostname)
    do
              echo "Removing certificate requests for $OUTPUT"
              puppet cert sign $OUTPUT && sleep 5 && puppet cert clean $OUTPUT

    done
    ------

    Leon
    On Tuesday, March 11, 2014 6:53:15 AM UTC-7, robert....@goodpoint.de wrote:
    On Friday, December 21, 2012 9:59:49 PM UTC+1, Calvin Walton wrote:
    On Fri, 2012-12-14 at 21:14 +0000, Tim Bishop wrote:
    Nope:

    puppetmaster# puppet cert list
    "fb311ff01c6f0130b650005056bc6664" (SHA256)
    FB:E2:F1:86:5D:80:74:25:35:75:3D:09:8F:1E:41:0B:15:D2:66:01:F2:F1:B3:4E:6D:5B:F9:85:4B:BC:AC:28
    puppetmaster# puppet cert clean fb311ff01c6f0130b650005056bc6664
    Error: Could not find a serial number for
    fb311ff01c6f0130b650005056bc6664
    Looks like it only cleans signed certificates, not requests.
    I think this is actually a bug, has any one reported it on the issue
    tracking system yet?

    'puppet cert clean' used to work to clean unsigned certificates in
    puppet 2.7, but no longer does in 3.0
    I could not find any issue yet, so I have created
    https://tickets.puppetlabs.com/browse/PUP-1916


    Cheers,

    Robert
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/c2c7c02e-ef23-4f56-b2ac-fb6247a4d71c%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.
  • Felix Frank at Apr 8, 2014 at 12:01 pm
    Hi,

    this approach to working around the issue is pretty horrible IMHO. I
    would recommend to go ahead and use Tim's approach of just removing the
    CSR files manually. That is both less error prone and more secure.

    Regards,
    Felix
    On 04/07/2014 07:35 PM, Leon Springer wrote:
    I created a quick script to workaround the issue until the bug is fixed.
    Replace the grep with the host(s) you want to target.
    -------
    #!/bin/bash

    for OUTPUT in $(puppet cert list | awk '{FS=" ";print $1;}' | sed -e
    's/^"//' -e 's/"$//'| grep -i hostname)
    do
    echo "Removing certificate requests for $OUTPUT"
    puppet cert sign $OUTPUT && sleep 5 && puppet cert clean $OUTPUT

    done
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/5343E50A.7060503%40alumni.tu-berlin.de.
    For more options, visit https://groups.google.com/d/optout.
  • Jcbollinger at Apr 9, 2014 at 1:53 pm

    On Tuesday, April 8, 2014 7:01:14 AM UTC-5, Felix.Frank wrote:
    Hi,

    this approach to working around the issue is pretty horrible IMHO. I
    would recommend to go ahead and use Tim's approach of just removing the
    CSR files manually. That is both less error prone and more secure.
    Yes, and if there are enough of these to be tedious/inconvenient, or if you
    need to do the job often, then it ought to be reasonably simple to write a
    script to collect the certificate names via "puppet cert list" and convert
    them directly into 'rm' commands for the certificate request files. That
    could make it easier on you while still avoiding ever signing the cert
    requests.

    Something along these lines (untested!) might do the trick:

    #!/bin/bash
    puppet cert list |
    while read line; do
       head=${line%\"*}
       name=${head:1}
       rm /var/lib/puppet/ssl/ca/requests/"${name}".pem
    done


    Or (also untested):
    #!/bin/bash
    rm_request() {
       pems=(${@/%/.pem})
       rm ${pems[*]/#/\/var\/lib\/puppet\/ssl\/ca\/requests\/}
    }
    puppet cert list \
    sed 's/"\([^"]\+\)"/\1/0' \
    xargs rm_request

    John

    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/1fea3ffb-6bbb-46bb-a276-845c95616cdf%40googlegroups.com.
    For more options, visit https://groups.google.com/d/optout.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedDec 14, '12 at 5:43p
activeApr 9, '14 at 1:53p
posts11
users8
websitepuppetlabs.com

People

Translate

site design / logo © 2022 Grokbase