Reprovisioning host, how to clear old puppet certificate from the puppet server

When imaging a system that has already been imaged puppet run returns "the certificate for myhostname does not match it’s private key.

Expected outcome:
Puppet server removes the old certificate before the host executes puppet and installs a new private key/certificate pairing.

Foreman and Proxy versions:

Foreman and Proxy plugin versions:

Distribution and version:
Redhat 8.7

I’ve searched around and haven’t found much in regard to my particular problem. I queried chatGPT and it suggested using preseed and running the command to remove the old certificate from the puppet server before the host is provisioned and executes a puppet run, so it can get a fresh cert/key pair. chatGPT looks promising, but it’s often wrong, so I thought I’d ask on here before I go down a rabbit hole.

I just need either puppetserver ca clean --certname fqdnofhost to execute on the server or rm -f /etc/puppetlabs/puppetserver/ca/signed/mycertname before the host goes through kickstart and executes a puppet run at the end.

Puppet server and foreman katello exist on the same server.

I thought maybe Administrator → Settings → provisioning → “Manage PuppetCA =Yes” would handle this, but I’m not really getting foreman to handle anything puppet related. I’m just using kickstart to kickoff the first puppet run which will correctly set up the puppet.conf file and also creates a root crontab that executes puppet once per hour and leaves systemd disabled. It’s how we have always done it and currently do it with Cobbler.

Thank you.

Have you installed Foreman’s Puppet integration? (The Foreman and smart-proxy plugins for Puppet)
If not, I would recommend you take a look at this documentation,
The PuppetCA Proxy functionality should do what you are looking for. Just be aware that documentation is a little opinionated especially in the client part, but since you are familiar with Puppet and provisioning workflows per se, just take the parts you need/are interested in and let the rest be :wink:

Alright. I installed foreman-proxy-puppetca and included the puppet_setup snippet and tried to run puppet and I still see the key certificate mismatch in the ks-post.log.

I also setup a couple of global parameters and the puppet.conf has the correct information, so the puppet setup did handle that correctly.

So what exactly is handling removing a preexisting certificate, so I can install a new one and successfully run puppet from the kickstart?

Again, I’d like avoid avoid installing tons of plugins. I just need this one thing handled and I’m done with my setup more or less.

I also followed the manual section for PuppetCA


And I believe I followed that including pointing puppet.conf [master] autosign to the ruby script that comes with the smart proxy installation. And as I mentioned, I set the settings provisioning parameter for Manage PuppetCA to yes. Still not doing anything. What steps am I missing here?

I also found a promising puppet page on doing my own API calls to nuke the certs and I’ll explore that further. If I could just execute that during kickstart using for the certname, that would be very straight forward and preclude all this extra setup.

I couldn’t figure out exactly how that foreman function to remove old certs worked, so I came up with a workaround.

Created a local user on foreman, gave it sudoers to only be able to run puppetserver ca clean --certname *

Created an rsa keypair and kickstarter creates a temporary file with the private key and allowed remote execution of the command to clean the @host.certname off the puppetserver. And don’t record the keypair in logs.

I’m happy and it allows me to keep the foreman plugins to a minimum.

1 Like