Strange problem with puppet certificates removal

Shimon_Shtein · June 13, 2018, 10:19am

Everytime a kickstart file was accessed via the unique token, Foreman was trying to delete an old cert within the puppet master:

D, [2018-06-13T00:06:27.775622 ] DEBUG -- : Executing /usr/bin/sudo -S /usr/bin/puppet cert --ssldir /var/lib/puppet/ssl --clean foo.example.com
D, [2018-06-13T00:06:29.500499 ] DEBUG -- : Attempt to remove nonexistent client certificate for foo.example.com
E, [2018-06-13T00:06:29.501020 ] ERROR -- : Attempt to remove nonexistent client certificate for foo.example.com
D, [2018-06-13T00:06:29.501088 ] DEBUG -- : Attempt to remove nonexistent client certificate for foo.example.com
I, [2018-06-13T00:06:29.502740 ]  INFO -- : 10.35.16.190 - - [13/Jun/2018:00:06:29 +0300] "DELETE /puppet/ca/foo.example.com HTTP/1.1" 404 84 1.7286

And it seems like it happened only on this specific client.
While trying to clean the cert manually - the output pops many times:
Notice: Revoked certificate with serial XXX

Luckily, it was solved this by running reinventory to the puppet certs.

I wonder what can cause this behavior.

mzima · June 13, 2018, 8:15pm

I get the same “Attempt to remove nonexistent client certificate ...” messages when deploying a new node, and as far as I know they are totally harmless. Foreman tries proactively to remove existing certs and if it’s a new nodename there aren’t any.

It also should not be necessary to do a manual cert cleanup afterwards.