Affects Version/s: PUP 3.5.1
Fix Version/s: None
Since migrating our puppet masters to CentOS 7, we are unable to sign certificates from really old puppet client systems which request MD5 certificates - probably due to OpenSSL changes.
That's fine, we need to be on SHA anyway. So, in testing to get these old clients to request a cert with a different algorithm (and having problems with --digest not being respected on these old puppet versions), we were going to need to go through a few different requests to get one with the right algorithm.
So, let's delete the pending request so a new one can come in, right?
Hmm, how can I delete this request? Normally when I've run into that, I've run sign and then immediately clean to get rid of it, but that's not possible in this case since the sign operation errors.
Ok, so --all will clear unsigned certs? Let's try that.
Yeah, that's a bad idea - the host being specified in this command is ignored. Yes, it says "all host certificates", so that makes sense, but it seems to be the only option that could potentially delete an unsigned cert.
So, a couple things:
- Is there a way within the puppet cert workflow (instead of manipulating the cert store directly on the filesystem) to delete a pending cert request that was never signed? I'm not seeing one, and if not, there should be - I don't see any harm in having clean remove unsigned requests as well as already signed certs.
- Should puppet cert clean host.example.com -
allbe annihilating all certs, when a hostname was specified? If the -all flag is going to be the only way to delete an unsigned request, it should support having a specific hostname. If it's going to remain the "nuke it all and salt the earth" option exclusively, then it should error when you try to run it with a specific hostname.