FAQ
Hi,

Auto sign is not configured.

1. installed puppet agent on a windows box.
2. accepted the certificate
3. uninstalled puppet agent from the windows box.
4. puppet cert clean "wintest"
5. puppet node clean "wintest"
6 puppet node deactivate "wintest"

7. install puppet agent on windows box(did no modification to windows box
except reboot)
8. puppet agent --test (on wintest)

Puppet master accepts the connections without asking for certs, Puppetdb
accepts the facts and reports for this node without hesitation.

==
2013-12-04 13:01:17,274 INFO [command-proc-51] [puppetdb.command]
[393a2937-5df1-4972-87ca-6f5f59170911] [deactivate node] wintest
2013-12-04 13:02:16,410 INFO [command-proc-52] [puppetdb.command]
[beb89340-2ef5-473b-9e2e-cd9defada826] [replace facts] wintest
2013-12-04 13:02:16,770 INFO [command-proc-51] [puppetdb.command]
[7b45f94d-367a-4ccc-959c-6a3e086f0911] [replace catalog] wintest
2013-12-04 13:02:17,340 INFO [command-proc-52] [puppetdb.command]
[31a82ba2-7ede-4252-90d2-6a45984c257b] [store report] puppet v3.3.2 -
wintest
==

This is so weird, how is this happening?

Did some one face this issue, can someone help me understand this behavior.

How do i make sure that once deactivate/cleaned from puppet master certs
removed, net puppet run should ask for the cert request.

-Kaustubh

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f4581fb6-3ae4-44b1-b2e2-6bb38606825c%40googlegroups.com.
For more options, visit https://groups.google.com/groups/opt_out.

Search Discussions

  • Kaustubh chaudhari at Dec 4, 2013 at 6:50 pm
    Ok,

    I understood my doubts partially!

    When we uninstall puppet agent from windows box, it will not delete the APP
    Data folder for puppet which contains the certificates, to generate new
    certificate request you need to uninstall puppet agent and delete this
    directory.

    Further, i understood that puppetdb will deactivate the nodes but it will
    not delete/purge it, to purge we need set "node-purge-ttl" in the puppetdb
    config.

    What i was not able to understand is if i have removed the agent
    certificates from the puppet master "puppet cert clean wintest" why the
    request is getting accepted by master?

    Can someone please help me to understand this!

    -Kaustubh
    On Wednesday, December 4, 2013 1:28:26 PM UTC-5, kaustubh chaudhari wrote:

    Hi,

    Auto sign is not configured.

    1. installed puppet agent on a windows box.
    2. accepted the certificate
    3. uninstalled puppet agent from the windows box.
    4. puppet cert clean "wintest"
    5. puppet node clean "wintest"
    6 puppet node deactivate "wintest"

    7. install puppet agent on windows box(did no modification to windows box
    except reboot)
    8. puppet agent --test (on wintest)

    Puppet master accepts the connections without asking for certs, Puppetdb
    accepts the facts and reports for this node without hesitation.

    ==
    2013-12-04 13:01:17,274 INFO [command-proc-51] [puppetdb.command]
    [393a2937-5df1-4972-87ca-6f5f59170911] [deactivate node] wintest
    2013-12-04 13:02:16,410 INFO [command-proc-52] [puppetdb.command]
    [beb89340-2ef5-473b-9e2e-cd9defada826] [replace facts] wintest
    2013-12-04 13:02:16,770 INFO [command-proc-51] [puppetdb.command]
    [7b45f94d-367a-4ccc-959c-6a3e086f0911] [replace catalog] wintest
    2013-12-04 13:02:17,340 INFO [command-proc-52] [puppetdb.command]
    [31a82ba2-7ede-4252-90d2-6a45984c257b] [store report] puppet v3.3.2 -
    wintest
    ==

    This is so weird, how is this happening?

    Did some one face this issue, can someone help me understand this behavior.

    How do i make sure that once deactivate/cleaned from puppet master certs
    removed, net puppet run should ask for the cert request.

    -Kaustubh
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/26b71ede-12ac-4308-bf7e-bd938123472e%40googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Felix Frank at Dec 6, 2013 at 10:48 am
    Hi,

    removing the cert data is one thing, but to make sure the old certficate
    cannot be used again, it must be effectively revoked.

    The (current) documentation states that puppet cert clean does in fact
    revoke the certificate, so you should not be seeing this issue.

    Which version of puppet is this?

    Regards,
    Felix
    On 12/04/2013 07:50 PM, kaustubh chaudhari wrote:
    Ok,

    I understood my doubts partially!

    When we uninstall puppet agent from windows box, it will not delete the
    APP Data folder for puppet which contains the certificates, to generate
    new certificate request you need to uninstall puppet agent and delete
    this directory.

    Further, i understood that puppetdb will deactivate the nodes but it
    will not delete/purge it, to purge we need set |"||node-purge-ttl||"| in
    the puppetdb config.

    What i was not able to understand is if i have removed the agent
    certificates from the puppet master "puppet cert clean wintest" why the
    request is getting accepted by master?

    Can someone please help me to understand this!
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52A1AB61.6060800%40alumni.tu-berlin.de.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Kaustubh chaudhari at Dec 6, 2013 at 12:44 pm
    Hi,

    Thanks for the reply Felix!

    I am on 3.3.2!

    once i remove the cert with puppet agent clean! I dont see its certificate
    in the puppet cert list -all

    However, agent can still run the catalog! this is what worries me!!

    -Kaustubh
    On Friday, December 6, 2013 5:48:01 AM UTC-5, Felix.Frank wrote:

    Hi,

    removing the cert data is one thing, but to make sure the old certficate
    cannot be used again, it must be effectively revoked.

    The (current) documentation states that puppet cert clean does in fact
    revoke the certificate, so you should not be seeing this issue.

    Which version of puppet is this?

    Regards,
    Felix
    On 12/04/2013 07:50 PM, kaustubh chaudhari wrote:
    Ok,

    I understood my doubts partially!

    When we uninstall puppet agent from windows box, it will not delete the
    APP Data folder for puppet which contains the certificates, to generate
    new certificate request you need to uninstall puppet agent and delete
    this directory.

    Further, i understood that puppetdb will deactivate the nodes but it
    will not delete/purge it, to purge we need set |"||node-purge-ttl||"| in
    the puppetdb config.

    What i was not able to understand is if i have removed the agent
    certificates from the puppet master "puppet cert clean wintest" why the
    request is getting accepted by master?

    Can someone please help me to understand this!
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4be5241e-a852-4b81-b024-4d474c4fb0e9%40googlegroups.com.
    For more options, visit https://groups.google.com/groups/opt_out.
  • Felix Frank at Dec 6, 2013 at 1:06 pm
    That's normal behavior, because the client still retains the cert and
    it's still signed with your puppet CA and therefor trusted.

    You may want to scrutinize the CRL file, perhaps it's not used properly.
    Also try and find out if puppet cert revoke works better than pupet cert
    clean wrt. the CRL.

    HTH,
    Felix
    On 12/06/2013 01:44 PM, kaustubh chaudhari wrote:
    once i remove the cert with puppet agent clean! I dont see its
    certificate in the puppet cert list -all

    However, agent can still run the catalog! this is what worries me!!
    --
    You received this message because you are subscribed to the Google Groups "Puppet Users" group.
    To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
    To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/52A1CBCF.9050007%40alumni.tu-berlin.de.
    For more options, visit https://groups.google.com/groups/opt_out.

Related Discussions

Discussion Navigation
viewthread | post
Discussion Overview
grouppuppet-users @
categoriespuppet
postedDec 4, '13 at 6:28p
activeDec 6, '13 at 1:06p
posts5
users2
websitepuppetlabs.com

2 users in discussion

Kaustubh chaudhari: 3 posts Felix Frank: 2 posts

People

Translate

site design / logo © 2022 Grokbase