Puppet: sslv3 alert certificate revoked

Have you ever had one of those days where you see on your dashboard one of your long lost boxen is no longer successfully reporting into your beloved puppet master? I’ve had a problem child as of late and I’m not sure if it was a security patch for openssl or if it was when the box moved from one virtual environment into a vCloud environment. But whatever the reason, I was suddenly seeing red when I would manually run my puppet agent command on the box. Here is the error I was seeing:

Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked

OK…the revoked I get. At one point this machine started giving me a different name so I revoked the old certificate as it moved from the FQDN to the hostname and I could not get it to set back to the old way. I’m assuming this is a bug in how vCloud attempts to set certain VM properties when you update it.

So, time to regenerate a certificate.

The Fix

First…cleanup the master of the hostname in question.

puppet cert clean

On the client, remove any old remnants and generate a new cert:

cd /var/lib/puppet
rm -rf ssl
puppet agent -t --noop

At this point, you should have a new certificate on the client and depending if your master auto signs them or not, you should be good to go. In my case, I needed to do a quick signing on the master with:

puppet cert sign

And that’s it. You should be back up and running again. This is rather annoying that it happened and I’m still not sure why the fqdn and hostname started reporting differently to the master server. That is one that I’m digging into for another blog post.