Foreman & Puppet sslv3 alert certificate revoked

Rekker · September 8, 2021, 11:54am

Problem: Puppet can no longer connect to Foreman, which disrupts the puppet runs
When I execute the following command on the master

/etc/puppet/external_node.rb foreman.server.com

on the Puppet Master I get this error:

Could not send facts to Foreman: SSL_connect returned=1 errno=0 state=error: sslv3 alert certificate revoked

However I have already tried to remove the SSL directory on the node and reconnect the node to the master. The problem persists.

With a puppet agent run the error looks like this:

[root@foreman]# puppet agent --test --noop
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet://puppet.server.com/pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve file metadata for puppet://puppet.server.com/plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]
Wrapped exception:
SSL_connect returned=1 errno=0 state=error: certificate verify failed: [certificate revoked for /CN=puppet.server.com]

Are there any solutions that have already been found? Unfortunately, I am currently completely at a loss. Thanks!

Expected outcome: Puppet agent runs through without errors

Foreman and Proxy versions: 1.15.6

Other relevant data:

areyus · September 9, 2021, 11:20am

From the error messages, it looks like someone revoked your Puppet server’s own certificate from the PuppetCA. I’ll assume you are on Puppet6 or newer. If not, the commands are slightly different.
Are you still able to run puppetserver ca list --all on your PuppetCA Server? If so, try and check if that is the case (the certificate of puppet.server.com should have a ‘-’ there indicating the certificate has been revoked). In that case you could try cleaning the certificate and generating a new one for the Puppetserver, though I am not sure what consequences this could potentially have on other ends.
If you cannot access your Puppet CA anymore, you might want to add another host you trust with a valid certificate temporarily to the ACL for that puppet API endpoint and continue analysis and further considerations from there (see here how to permit additional servers access to the API: auth.conf)