Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-1916

puppet cert clean cannot remove signing requests

    Details

    • Type: Bug
    • Status: Accepted
    • Priority: Normal
    • Resolution: Unresolved
    • Affects Version/s: PUP 3.4.2, PUP 3.4.3, PUP 3.6.2, PUP 3.7.3, PUP 3.7.5, PUP 4.10.6, PUP 5.0.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
      None
    • Environment:

      Puppet on CentOS 6 (via puppetlabs repo), Puppet on Debian7 (via puppetlabs repo)

    • Template:
    • Team:
      Platform Core
    • Sprint:
      Platform Core Grooming

      Description

      I have a certificate signing request that I would like to get rid of with "puppet cert". However, I can only list and sign CSRs.

      Here's my log:
      [root@operations ~]# puppet --version
      3.4.2
      [root@operations ~]# puppet cert list | grep local
      "localhost.localdomain" (MD5) 12:5E:40:6B:79:84:6F:9C:51:7B:40:81:30:30:8B:F5
      [root@operations ~]# puppet cert clean localhost.localdomain
      Error: Could not find a serial number for localhost.localdomain

      A thread at puppet-users suggests this worked before, but is now broken:
      https://groups.google.com/forum/#!topic/puppet-users/gmIFG108aw0

        Attachments

          Issue Links

            Activity

            Hide
            derrick Derrick Dymock added a comment -

            Same on squeeze with puppet 3.4.3.

            Show
            derrick Derrick Dymock added a comment - Same on squeeze with puppet 3.4.3.
            Hide
            motp Bjørn Bürger added a comment -

            Same on Debian Wheezy:

            The Workaround puppet cert sign / puppet cert clean works, but is quite hmmm. unintuitive

            Show
            motp Bjørn Bürger added a comment - Same on Debian Wheezy: 3.4.3-1puppetlabs1 0 990 http://apt.puppetlabs.com/ wheezy/main i386 Packages The Workaround puppet cert sign / puppet cert clean works, but is quite hmmm. unintuitive
            Hide
            derrick Derrick Dymock added a comment -

            You can also delete the certs from (in my case) /var/lib/puppet/ssl/ca/requests.

            Show
            derrick Derrick Dymock added a comment - You can also delete the certs from (in my case) /var/lib/puppet/ssl/ca/requests.
            Hide
            cwood Christopher Wood added a comment -

            Cleaning a certificate request fails in 3.6.2 on CentOS as well.

            I confirm this used to work in the 2.7 series.

            Show
            cwood Christopher Wood added a comment - Cleaning a certificate request fails in 3.6.2 on CentOS as well. I confirm this used to work in the 2.7 series.
            Hide
            mmoll Michael Moll added a comment -

            Same on 3.7.x. Is there any progress on this? Or was the change done on purpose?

            Show
            mmoll Michael Moll added a comment - Same on 3.7.x. Is there any progress on this? Or was the change done on purpose?
            Hide
            jbouse Jeremy T. Bouse added a comment - - edited

            This seems to work fine from what I can see with 3.7.3 on Debian 7.6 from the Puppetlabs repo. I could try to duplicate using a CentOS 6 Vagrant setup but that shouldn't change unless there's a packaging issue.

            I ran the following using Vagrant with master and agent hosts.

            root@puppetmaster:~# puppet -V 
            3.7.3
            root@puppetmaster:~# puppet cert list -a                                                                                            
            root@puppetmaster:~# service puppetmaster start
            [ ok ] Starting puppet master.
            root@puppetmaster:~# puppet cert list -a                                                                                            
            + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan")
            

            I then logged into my agent and ran

            root@puppetagent:~# puppet agent -t
            Info: Creating a new SSL key for puppetagent.puppetdebug.vlan
            Info: Caching certificate for ca
            Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml
            Info: Creating a new SSL certificate request for puppetagent.puppetdebug.vlan
            Info: Certificate Request fingerprint (SHA256): 50:04:6B:44:8F:3B:C6:2D:7D:33:4A:AA:96:DD:98:FA:7E:33:53:AD:0D:E2:44:46:A3:B0:CA:D3:97:A0:7A:C3
            Info: Caching certificate for ca
            Exiting; no certificate found and waitforcert is disabled
            

            Going back to my master

            root@puppetmaster:~# puppet cert list -a
              "puppetagent.puppetdebug.vlan"  (SHA256) 50:04:6B:44:8F:3B:C6:2D:7D:33:4A:AA:96:DD:98:FA:7E:33:53:AD:0D:E2:44:46:A3:B0:CA:D3:97:A0:7A:C3
            + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan")
            

            No I have an unsigned request from my agent that I want to remove...

            root@puppetmaster:~# puppet cert clean puppetagent.puppetdebug.vlan
            Notice: Revoked certificate with serial 3
            Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.puppetdebug.vlan at '/var/lib/puppet/ssl/ca/requests/puppetagent.puppetdebug.vlan.pem'
            root@puppetmaster:~# puppet cert list -a
            + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan")
            

            As you can see it cleaned up the CSR just fine using puppet cert clean

            Show
            jbouse Jeremy T. Bouse added a comment - - edited This seems to work fine from what I can see with 3.7.3 on Debian 7.6 from the Puppetlabs repo. I could try to duplicate using a CentOS 6 Vagrant setup but that shouldn't change unless there's a packaging issue. I ran the following using Vagrant with master and agent hosts. root@puppetmaster:~# puppet -V 3.7.3 root@puppetmaster:~# puppet cert list -a root@puppetmaster:~# service puppetmaster start [ ok ] Starting puppet master. root@puppetmaster:~# puppet cert list -a + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan") I then logged into my agent and ran root@puppetagent:~# puppet agent -t Info: Creating a new SSL key for puppetagent.puppetdebug.vlan Info: Caching certificate for ca Info: csr_attributes file loading from /etc/puppet/csr_attributes.yaml Info: Creating a new SSL certificate request for puppetagent.puppetdebug.vlan Info: Certificate Request fingerprint (SHA256): 50:04:6B:44:8F:3B:C6:2D:7D:33:4A:AA:96:DD:98:FA:7E:33:53:AD:0D:E2:44:46:A3:B0:CA:D3:97:A0:7A:C3 Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled Going back to my master root@puppetmaster:~# puppet cert list -a "puppetagent.puppetdebug.vlan" (SHA256) 50:04:6B:44:8F:3B:C6:2D:7D:33:4A:AA:96:DD:98:FA:7E:33:53:AD:0D:E2:44:46:A3:B0:CA:D3:97:A0:7A:C3 + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan") No I have an unsigned request from my agent that I want to remove... root@puppetmaster:~# puppet cert clean puppetagent.puppetdebug.vlan Notice: Revoked certificate with serial 3 Notice: Removing file Puppet::SSL::CertificateRequest puppetagent.puppetdebug.vlan at '/var/lib/puppet/ssl/ca/requests/puppetagent.puppetdebug.vlan.pem' root@puppetmaster:~# puppet cert list -a + "puppetmaster.puppetdebug.vlan" (SHA256) 8E:B5:B5:8C:B2:BD:C9:79:39:2D:67:C9:D5:39:35:7B:58:44:62:54:15:87:1A:26:67:69:BE:78:F8:42:6A:62 (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan") As you can see it cleaned up the CSR just fine using puppet cert clean
            Hide
            jbouse Jeremy T. Bouse added a comment -

            Okay... I ran this under a CentOS 6.5 Vagrant host and it does not clean-up the CSR and provided me with the following:

            [root@puppetmaster ~]# puppet cert list -a
              "puppetagent.puppetdebug.vlan"  (SHA256) B2:86:B6:35:38:0B:87:68:52:FA:D9:1E:FD:79:2E:72:37:79:D9:23:85:95:55:26:95:59:34:F0:92:75:16:18
            + "puppetmaster.puppetdebug.vlan" (SHA256) 5B:89:25:EA:60:22:EC:3F:66:EE:76:46:3B:55:03:2C:5B:24:7D:1E:9F:33:C4:51:FF:A7:2F:99:C6:7B:BB:5D (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan")
            [root@puppetmaster ~]# puppet cert clean puppetagent.puppetdebug.vlan                                                               
            Error: Could not find a serial number for puppetagent.puppetdebug.vlan
            

            This was also using the Puppetlabs repo version 3.7.3 so I'm not sure off-hand why the same version code on different distributions would behave differently like this.

            Show
            jbouse Jeremy T. Bouse added a comment - Okay... I ran this under a CentOS 6.5 Vagrant host and it does not clean-up the CSR and provided me with the following: [root@puppetmaster ~]# puppet cert list -a "puppetagent.puppetdebug.vlan" (SHA256) B2:86:B6:35:38:0B:87:68:52:FA:D9:1E:FD:79:2E:72:37:79:D9:23:85:95:55:26:95:59:34:F0:92:75:16:18 + "puppetmaster.puppetdebug.vlan" (SHA256) 5B:89:25:EA:60:22:EC:3F:66:EE:76:46:3B:55:03:2C:5B:24:7D:1E:9F:33:C4:51:FF:A7:2F:99:C6:7B:BB:5D (alt names: "DNS:puppet", "DNS:puppet.puppetdebug.vlan", "DNS:puppetmaster.puppetdebug.vlan") [root@puppetmaster ~]# puppet cert clean puppetagent.puppetdebug.vlan Error: Could not find a serial number for puppetagent.puppetdebug.vlan This was also using the Puppetlabs repo version 3.7.3 so I'm not sure off-hand why the same version code on different distributions would behave differently like this.
            Hide
            soundgoof Markus Häll added a comment -

            root@puppet:~# cat /etc/issue
            Debian GNU/Linux 7 \n \l
            root@puppet:~# uname -a
            Linux puppet 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64 GNU/Linux
            root@puppet:~# puppet --version
            3.7.3
             
            root@puppet:~# puppet cert list
              "asterix.dummy"      (SHA256) 6B:FA:93:6B:B3:6E:2A:08:E1:37:B4:41:CB:47:5E:27:72:B5:DA:BA:B3:6A:7A:5E:CC:CF:9F:44:0E:74:1A:41
              "fire.dummy"         (SHA256) 74:7E:DB:BF:C4:F6:71:00:62:ED:EF:99:4B:76:B4:9D:1E:A0:91:0B:63:CD:29:2B:AF:BD:B3:6F:B3:31:14:3A
            root@puppet:~# puppet cert clean asterix.dummy
            Error: Could not find a serial number for asterix.dummy
            root@puppet:~# puppet cert list
              "asterix.dummy"      (SHA256) 6B:FA:93:6B:B3:6E:2A:08:E1:37:B4:41:CB:47:5E:27:72:B5:DA:BA:B3:6A:7A:5E:CC:CF:9F:44:0E:74:1A:41
              "fire.dummy"         (SHA256) 74:7E:DB:BF:C4:F6:71:00:62:ED:EF:99:4B:76:B4:9D:1E:A0:91:0B:63:CD:29:2B:AF:BD:B3:6F:B3:31:14:3A
            

            this is a debian7 with puppetlabs repo

            Show
            soundgoof Markus Häll added a comment - root@puppet:~# cat /etc/issue Debian GNU/Linux 7 \n \l root@puppet:~# uname -a Linux puppet 3.2.0-4-amd64 #1 SMP Debian 3.2.63-2 x86_64 GNU/Linux root@puppet:~# puppet --version 3.7.3   root@puppet:~# puppet cert list "asterix.dummy" (SHA256) 6B:FA:93:6B:B3:6E:2A:08:E1:37:B4:41:CB:47:5E:27:72:B5:DA:BA:B3:6A:7A:5E:CC:CF:9F:44:0E:74:1A:41 "fire.dummy" (SHA256) 74:7E:DB:BF:C4:F6:71:00:62:ED:EF:99:4B:76:B4:9D:1E:A0:91:0B:63:CD:29:2B:AF:BD:B3:6F:B3:31:14:3A root@puppet:~# puppet cert clean asterix.dummy Error: Could not find a serial number for asterix.dummy root@puppet:~# puppet cert list "asterix.dummy" (SHA256) 6B:FA:93:6B:B3:6E:2A:08:E1:37:B4:41:CB:47:5E:27:72:B5:DA:BA:B3:6A:7A:5E:CC:CF:9F:44:0E:74:1A:41 "fire.dummy" (SHA256) 74:7E:DB:BF:C4:F6:71:00:62:ED:EF:99:4B:76:B4:9D:1E:A0:91:0B:63:CD:29:2B:AF:BD:B3:6F:B3:31:14:3A this is a debian7 with puppetlabs repo
            Hide
            jbouse Jeremy T. Bouse added a comment -

            Yeah, later discovery during #puppethack found that it would clean the CSR if and only if there had ever been a key signed for that hostname in the past so that it was listed in the CA inventory.txt. One comment made in the channel was that there was no good programmatic way to do it.

            Show
            jbouse Jeremy T. Bouse added a comment - Yeah, later discovery during #puppethack found that it would clean the CSR if and only if there had ever been a key signed for that hostname in the past so that it was listed in the CA inventory.txt. One comment made in the channel was that there was no good programmatic way to do it.
            Hide
            erikl Erik L. added a comment -

            With puppet 4.1.0 I still cannot remove a CSR that is not signed.

            I had a client with a wrongly configured hostname. Puppet agent had already sent its CSR to the master, which is where I saw the flaw. So I corrected the hostname, removed the ssl files from the agent and it made a new CSR with the correct hostname, which I then signed on the master.

            But now the unsigned CSR remains. I can't remove it with puppet cert clean, because of the error mentioned by the other users, puppet cert clean wants to find a serial number, but there is none for a CSR that's never been signed.
            Please provide a way to clean unsigned CSR's up.

            Show
            erikl Erik L. added a comment - With puppet 4.1.0 I still cannot remove a CSR that is not signed. I had a client with a wrongly configured hostname. Puppet agent had already sent its CSR to the master, which is where I saw the flaw. So I corrected the hostname, removed the ssl files from the agent and it made a new CSR with the correct hostname, which I then signed on the master. But now the unsigned CSR remains. I can't remove it with puppet cert clean, because of the error mentioned by the other users, puppet cert clean wants to find a serial number, but there is none for a CSR that's never been signed. Please provide a way to clean unsigned CSR's up.
            Hide
            rw Ryan Whitehurst added a comment -

            This is still a problem and pretty sloppy looking.

            Show
            rw Ryan Whitehurst added a comment - This is still a problem and pretty sloppy looking.
            Hide
            MightyDok Vitaliy Okulov added a comment -

            You can remove wrong ssl sign request from /etc/puppetlabs/puppet/ssl/ca/requests/ directory for puppet 4.3.
            Or use puppet ca destroy wrong_fqdn command.

            Show
            MightyDok Vitaliy Okulov added a comment - You can remove wrong ssl sign request from /etc/puppetlabs/puppet/ssl/ca/requests/ directory for puppet 4.3. Or use puppet ca destroy wrong_fqdn command.
            Hide
            nickh Nick Howes added a comment -

            `puppet ca` has recently been deprecated, so that option is going away and soon there'll be no way to do this without manually managing the files.

            Show
            nickh Nick Howes added a comment - `puppet ca` has recently been deprecated, so that option is going away and soon there'll be no way to do this without manually managing the files.
            Hide
            dhollinger David Hollinger added a comment -

            Can we get this ticket updated to show that this effects puppetserver <= 2.7.2 and puppet <= 4.10.1?

            Show
            dhollinger David Hollinger added a comment - Can we get this ticket updated to show that this effects puppetserver <= 2.7.2 and puppet <= 4.10.1?

              People

              • Assignee:
                Unassigned
                Reporter:
                rbu Robert Buchholz
              • Votes:
                18 Vote for this issue
                Watchers:
                25 Start watching this issue

                Dates

                • Created:
                  Updated:

                  Zendesk Support