Accidentally deleted puppet server certificate - can't get it recreated

I have a foreman+katello install that was working fully and I needed to do a bulk clean up of some puppet agent certificates. I accidentally deleted the puppet server certificate that is needed for signing puppet agent certificates.

I have ran foreman-installer --scenario katello command to have it regenerate the server’s signing certificate (using the --certs-update-server --certs-update-server-ca options) but it is not recreating the certificate needed for the puppetserver command. I get the below error when I run ‘puppetserver ca list

Fatal error when running action ‘list’
Error: Failed connecting to
Root cause: SSL_connect returned=1 errno=0 state=error: certificate verify failed (certificate revoked)
You have new mail in /var/spool/mail/root

Can anyone give me guidance on how to recreate the signing certificate needed for puppetserver to work?

On a related note…I did get create a new certificate for the foreman+katello server and it installs via foreman-installer --scenario katello without any errors. There seems to be something not happening that creates the certificate file used by puppetserver command.

I have verified the /etc/pki/katello/puppet/puppet_client.crt & /etc/pki/katello/puppet/puppet_client.key files as well as the /etc/foreman/client_cert.pem & /etc/foreman/client_key.pem files are getting recreated when I run the installer.

It seems to me the problem I am having is due to the below files not getting rebuilt when I run the foreman-installer command as previously described.

In this directory: /etc/pki/katello/certs
These files did not get rebuilt with the new certificate info…

This is the only katello- file that got rebuilt:

Is it safe to delete the katello-* files that did not get recreated and re-run the foreman-installer to recreate them?

For anyone else that might have this issue in the future…I did not get a solution just using the foreman-installer --schenario katello …certs options.

My final steps were to do this…

  1. Generate a new custom certificate for the foreman (puppet master) server
  2. rm -f /etc/pki/katello/certs/*crt (back them up first)
  3. This command recreated all the /etc/pki/katello/certs files
    run foreman-installer --scenario katello with the below options…
    –certs-server-cert “PATH2FOREMANSERVERCERTFILE.crt”
    –certs-server-cert-req “PATH2FOREMANSERVERCERTREQFILE.csr”
    –certs-server-key “PATH2FOREMANSERVERKEYFILE.key”
    –certs-server-ca-cert “PATH2CACERTIFICATECHAINFILE.crt”
    –certs-update-server --certs-update-server-ca \
  4. Use these instructions to recreate new puppetserver certificate files…
    (Regenerating certificates in a Puppet deployment)