Foreman » Smart Proxy

With Puppet 3.4.2:

# puppet cert list
  "tmptst" (SHA256) C4:92:8B:FE:80:4B:BA:B3:D8:17:AA:FD:15:83:FA:55:D5:99:BF:78:2A:B0:86:18:69:F0:53:9A:CE:2A:D1:9F
# puppet cert clean tmptst
Error: Could not find a serial number for tmptst
# puppet ca destroy tmptst
Notice: Removing file Puppet::SSL::CertificateRequest tmptst at '/var/lib/puppet/ssl/ca/requests/tmptst.pem'
# puppet ca destroy tmptst.test.xxx.de
Notice: Removing file Puppet::SSL::Certificate tmptst.test.xxx.de at '/var/lib/puppet/ssl/ca/signed/tmptst.test.xxx.de.pem'
Deleted for tmptst.test.xxx.de: Puppet::SSL::Certificate
# puppet cert clean tmptst.test.xxx.de
Notice: Revoked certificate with serial 6

I was wondering if this issue will be fixed any time soon. It will be nice to delete pending certificates from foreman.

I'll have a look at that, as soon as I have more time. If it's a big problem for you, please yell and I try to find somebody else.

My inital description was wrong, here the correct one:

Puppet 2.7: puppetca --clean <fqdn>
Puppet 3.0: puppet ca destroy <fqdn>, while puppet cert clean <fqdn> does not work for CSRs

Puppet Issue: https://tickets.puppetlabs.com/browse/PUP-1916

I bumped into this too whilst testing the smart proxy with puppet 4 (which needs a couple of small mods to work BTW).

D, [2016-04-01T17:14:22.445450 #12164] DEBUG -- : accept: 10.160.248.69:40418
D, [2016-04-01T17:14:22.447119 #12164] DEBUG -- : Rack::Handler::WEBrick is invoked.
D, [2016-04-01T17:14:22.448015 #12164] DEBUG -- : verifying remote client 10.160.248.69 against trusted_hosts ["host1.example.com", "host2.example.com"]
D, [2016-04-01T17:14:22.448367 #12164] DEBUG -- : Found puppetca at /opt/puppetlabs/bin/puppet
D, [2016-04-01T17:14:22.448461 #12164] DEBUG -- : Found sudo at /usr/bin/sudo
D, [2016-04-01T17:14:22.448516 #12164] DEBUG -- : Executing /usr/bin/sudo -S /opt/puppetlabs/bin/puppet cert --ssldir /etc/puppetlabs/puppet/ssl --clean host.dmz.local
I, [2016-04-01T17:14:24.164223 #12164]  INFO -- : Attempt to remove nonexistent client certificate for host.dmz.local
E, [2016-04-01T17:14:24.164510 #12164] ERROR -- : Attempt to remove nonexistent client certificate for host.dmz.local
D, [2016-04-01T17:14:24.164560 #12164] DEBUG -- : Attempt to remove nonexistent client certificate for host.dmz.local
I, [2016-04-01T17:14:24.164864 #12164]  INFO -- : 10.160.248.69 - - [01/Apr/2016:17:14:24 +0100] "DELETE /puppet/ca/host.dmz.local HTTP/1.1" 404 68 1.7171

puppet cert clean certname

puppet ca destroy certname

I'm not sure what versions of puppet support that command though.

I'm confused as to what version of puppet I actually tested 'puppet ca destroy' in...
Apparently not a version of puppet 4 though.
As https://tickets.puppetlabs.com/browse/PUP-6179 has only just been fixed.

Either way, in puppet 4.4.2 'puppet ca destroy' can be used successfully.

[root@devops01 ~]# puppet --version
4.4.2
[root@devops01 ~]# puppet cert list
  "devops02.example.com" (SHA256) 19:47:28:8C:E9:D6:CF:49:50:31:00:CF:C4:94:E6:7E:F6:F8:65:F4:2C:B7:62:E5:0A:E4:12:EF:88:6A:D6:75
[root@devops01 ~]# puppet cert destroy "devops02.example.com" 
Error: Could not find a serial number for devops02.example.com
[root@devops01 ~]# puppet cert clean "devops02.example.com" 
Error: Could not find a serial number for devops02.example.com
[root@devops01 ~]# puppet ca destroy "devops02.example.com" 
Notice: Removing file Puppet::SSL::CertificateRequest devops02.example.com at '/etc/puppetlabs/puppet/ssl/ca/requests/devops02.example.com.pem'
Deleted for devops02.example.com: Puppet::SSL::CertificateRequest
[root@devops01 ~]# puppet cert list
[root@devops01 ~]#