I have a foreman+katello install that was working fully and I needed to do a bulk clean up of some puppet agent certificates. I accidentally deleted the puppet server certificate that is needed for signing puppet agent certificates.
I have ran foreman-installer --scenario katello command to have it regenerate the server’s signing certificate (using the --certs-update-server --certs-update-server-ca options) but it is not recreating the certificate needed for the puppetserver command. I get the below error when I run ‘puppetserver ca list’
…
Fatal error when running action ‘list’
Error: Failed connecting to https://puppet.example.com:8140/puppet-ca/v1/certificate_statuses/any_key
Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate revoked)
You have new mail in /var/spool/mail/root
…
Can anyone give me guidance on how to recreate the signing certificate needed for puppetserver to work?
On a related note…I did get create a new certificate for the foreman+katello server and it installs via foreman-installer --scenario katello without any errors. There seems to be something not happening that creates the certificate file used by puppetserver command.
I have verified the /etc/pki/katello/puppet/puppet_client.crt & /etc/pki/katello/puppet/puppet_client.key files as well as the /etc/foreman/client_cert.pem & /etc/foreman/client_key.pem files are getting recreated when I run the installer.
It seems to me the problem I am having is due to the below files not getting rebuilt when I run the foreman-installer command as previously described.
In this directory: /etc/pki/katello/certs
These files did not get rebuilt with the new certificate info…
katello-default-ca.crt
katello-default-ca-stripped.crt
katello-server-ca.crt
katello-tomcat.crt
This is the only katello- file that got rebuilt:
katello-apache.crt
Is it safe to delete the katello-* files that did not get recreated and re-run the foreman-installer to recreate them?
For anyone else that might have this issue in the future…I did not get a solution just using the foreman-installer --schenario katello …certs options.
My final steps were to do this…
- Generate a new custom certificate for the foreman (puppet master) server
- rm -f /etc/pki/katello/certs/*crt (back them up first)
- This command recreated all the /etc/pki/katello/certs files
run foreman-installer --scenario katello with the below options…
–certs-server-cert “PATH2FOREMANSERVERCERTFILE.crt”
–certs-server-cert-req “PATH2FOREMANSERVERCERTREQFILE.csr”
–certs-server-key “PATH2FOREMANSERVERKEYFILE.key”
–certs-server-ca-cert “PATH2CACERTIFICATECHAINFILE.crt”
–certs-update-server --certs-update-server-ca \
- Use these instructions to recreate new puppetserver certificate files…
(Regenerating certificates in a Puppet deployment)
