4.10.5. Puppet Certificate Issues

4.10.5.1. Puppet Client Certificate Issues

Most of the time, clients will have certificate issues due to the system clock not being properly set. Before taking any other measures, make sure that your system clock is correct on both the server and the clients!

If you need to fix client certificate issues outside of time, first make sure that you do not have a certificate already in place on your Puppet Server.

# puppetserver ca list --all

If you do have a certificate in place, and need to register a client with the same name, remove that client’s certificate from the system.

# puppetserver ca clean --certname <fqdn.of.the.client>

Warning

If you delete the Puppet Server’s certificate, you will need to re-deploy Puppet certificates to all of your nodes!

4.10.5.1.1. Puppet Client Re-Registration

If, for some reason, you need to re-register your client with a new server, simply run the following on your client once the server is ready.

# rm -rf `puppet config print ssldir`
# puppet agent -t

After running the puppet agent, sign off the new certificate request on the Puppet Server.

# puppetserver ca list
# puppetserver ca sign --certname <cert req name>

4.10.5.2. Puppet Server Certificate Issues

4.10.5.2.1. Partial CA Setup

If the puppetserver is interrupted during the initial setup, you may discover that the process appears to hang forever without ever listening on the expected TCP port.

If this happens, when the process is killed (give it at least 10 minutes), you know that the CA has not set up properly if you see something like the following in the puppetserver log:

` Cannot initialize CA with partial state; need all files or none. Found: /etc/puppetlabs/puppetserver/ca/serial Missing: /etc/puppetlabs/puppetserver/ca/ca_crt.pem /etc/puppetlabs/puppetserver/ca/ca_key.pem /etc/puppetlabs/puppetserver/ca/ca_crl.pem /etc/puppetlabs/puppetserver/ca/inventory.txt `

To remedy this issue, run the following commands:

` bash puppet resource file /etc/puppetlabs/puppetserver/ca ensure=absent force=true recurse=true puppetserver ca setup `

4.10.5.2.2. The Server Certificate was Removed

To fix the issue where the Puppet Server certificate was removed using puppetserver ca clean, run puppetserver ca generate --certname <your puppetserver's cert name> and restart the puppetserver service.

4.10.5.2.3. The SSL Directory was Removed

If the /etc/puppetlabs/puppet/ssl directory was removed on the Puppet Server (and you do not have a backup of it) or for some other reason you need to regenerate all the Puppet certificates and the Puppet CA do the following:

Warning

This is destructive to your Puppet communications. This should only be used if you have no other options.

  1. Stop the puppetserver and puppetdb services.

  2. Remove the certificates and the CA on the Puppet Server and generate the new Puppet Server and CA certificates.

    puppet resource service puppet ensure=stopped
    puppet resource service puppetserver ensure=stopped
    puppet resource service puppetdb ensure=stopped
    
    puppet resource file /etc/puppetlabs/puppet/ssl ensure=absent force=true recurse=true
    puppet apply -e '#noop'
    
    puppet resource service puppetserver ensure=running
    
  3. Remove the old certificates from each of the Puppet clients and re-register the client using the Puppet Client Re-Registration instructions.

  4. Clean the old certificates out from the puppetdb directory and copy the new ones from the puppetserver using puppetdb’s ssl setup script.

    puppet resource file /etc/puppetlabs/puppetdb/ssl ensure=absent force=true recurse=true
    puppetdb ssl-setup
    
  5. (Optional) Restart the puppetdb service

    Only do this if you wish to run puppetdb!

    puppet resource service puppetdb ensure=running
    
  6. Confirm that everything is working

    puppet agent -t
    

4.10.5.2.4. Puppetserver and PuppetDB Certificate Mismatch

If the puppetserver CA has been updated and the puppetdb certificates are not cleaned a puppet agent run produces an error similar to this:

Error: Could not retrieve catalog from remote server: Error 500 on SERVER: Server Error:
Failed to execute '/pdb/cmd/v1?checksum=5584595ca917e6b8d5767f7ff0fd71863fdfc486&version=5
&certname=puppet.your.domain&command=replace_facts&producer-timestamp=1521137360'
on at least 1 of the following 'server_urls': https://puppet.your.domain:8139

You will probably need to disconnect the PuppetDB process from the Puppet Server. Follow the HOWTO Disconnect PuppetDB from the Puppet Server Guide to remediate this issue.