Satellite 6 : How to restore Satellite's and client Puppet SSL certificates after they were revoked by a mistake.

Solution Verified - Updated 2 Aug 2024

Environment

Red Hat Enterprise Linux 6 and 7
Red Hat Satellite 6

Issue

All Puppet certificates show status certificate revoked (puppet cert list --all) including the Puppet master certificate. The following solution: Unable to sign the SSL certificate for the puppet client in the satellite webUI is not applicable as Puppet master certificate is also revoked.

Resolution

ON CLIENT

Stop the puppet service and remove all data in /var/lib/puppet/ssl directory:
- service puppet stop
- if [ $(rpm -q puppet-agent --queryformat "%{VERSION}" | cut -d. -f1) -lt 4 ]; then dir="/var/lib/puppet/ssl/"; else dir="/etc/puppetlabs/puppet/ssl/"; fi
- rm -rf ${dir}/*

ON SATELLITE SERVER

Remove all certificates, then stop puppet and httpd services. httpd needs to be stopped as it listens on port 8140. Subsequently, remove all the data from /var/lib/puppet/ssl directory. Finally, start the puppet master service in verbose mode:
- puppet cert clean --all
- service puppet stop ; service httpd stop ; service puppetserver stop
- if [ $(rpm -q puppet-agent --queryformat "%{VERSION}" | cut -d. -f1) -lt 4 ]; then dir="/var/lib/puppet/ssl"; else dir="/etc/puppetlabs/puppet/ssl"; fi
- mv ${dir} ${dir}.old
- puppet cert list --all
- puppet master --no-daemonize --verbose

ON CLIENT

Start the puppet service and generate a new certificate request:
- service puppet start
- puppet agent -t

ON SATELLITE SERVER

Sign the client certificate:
- puppet cert sign client.domain.com

ON SATELLITE SERVER

Stop puppet master process and start httpd and puppet services:
- Interrupt puppet master --no-daemonize --verbose command using CTRL-C
- service httpd start ; service puppet start ;service puppetserver start

ON CLIENT

After a client node new certificate is signed, Puppet run starts.
- puppet agent -t

For more KB articles/solutions related to Red Hat Satellite 6.x Puppet Issues, please refer to the Red Hat Satellite Consolidated Troubleshooting Article for Red Hat Satellite 6.x Puppet Issues

SBR

SysMgmt

Product(s)

Red Hat Satellite

Components

puppet

Category

Configure

Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.