Accidentally revoked all puppetmaster certs

puppet

I ran puppet cert clean --all, thinking it would only clear the certificates that hadn't been signed yet. There's about 300 nodes that rely on the puppet master. As far as I can tell, puppet agent still works on them, but I think that's because there's a cached copy of the certificate somewhere.

Any way to rectify the situation without having to manually log into 300 different servers?

Thanks

EDIT: I should mention that /var/lib/puppet wasn't being backed up for some reason.

Best Answer

If they're still checking in, that's probably because the puppet master is not checking the CRL; they might not exist in the cert inventory on the master any more but they're still signed by the CA. Revoking trumps that but the revoke doesn't seem to be preventing their agent runs (verify they aren't just using cached catalogs with puppet agent --test).

Because of this, you should be able to do some creative configuration management to get them to enroll for new certificates - say, maybe something like this..

exec { 'ssl hackery':
  command  => '/bin/mv /var/lib/puppet/ssl /var/lib/puppet/ssl_old',
  creates  => '/var/lib/puppet/ssl_old',
}

(Test this thoroughly on a single host before hitting all the nodes with it, or you will indeed be touching each one!)

Related Solutions

Puppetmaster don’t notice changes to site.pp

I've found the problem. I've been writing the manifests with notepad++, with EOL set to Windows, NOT Unix. So there was there problem :/

Converting from one puppetmaster to another

I don't want to detract from anyone's possible answers - perhaps there is a cleaner way to achieve my goals.

Here is what I did: I removed everything in /var/lib/puppet:

cd /var/lib/puppet
rm -rf *

Since I was using a package manager, I looked for files owned by any package in that directory - and there were none. For Debian and dpkg, that is done this way:

dpkg -S * */* */*/*

Since no packages were found that owned these files, this suggested that the files were created on the fly, and since /var/lib/puppet was owned by a package (puppet-common) I left the empty directory in place.

Then I ran puppetmaster (actually a mistake since passenger is to be used) and the appropriate files were all recreated. After stopping puppetmaster, configuring passenger, and configuring /etc/default/puppetmaster and "restarting" puppetmaster (which failed quietly) - everything seemed to be good again.

Running puppet agent against the server pulled down the appropriate certs and made everything nice.

Best Answer

Related Solutions

Puppetmaster don’t notice changes to site.pp

Converting from one puppetmaster to another

Related Topic