Resolve a "header too long" error when using "puppet cert" or "puppet node" commands in Puppet Enterprise 3.2 to 2016.2 and 2017.1 to 2018.1

When running a puppet cert or puppet node command, you receive a header too long error. 

Error messages and logs

[root@testmaster]# puppet cert list --all
    Error: header too long

This error is caused by 0-byte .pem cert or security credential files in /etc/puppetlabs/puppet/ssl/.

Version and installation information

PE version: 3.2 to 2016.2 and 2017.1 to 2018.1
OS: *nix
Installation type: monolithic, split

Note: This article assumes your CA (certificate authority) is on your Puppet master. If it's on another node, you'll need to modify these instructions.

Solution

For each 0-byte .pem file, resolve the error by either regenerating the cert associated with the node (if the node is active) or removing the .pem file (if the node is inactive).

Note: Each .pem file's name is based on its certname. The file master.example.com.pem is associated with the node master.example.com.

1. Check for 0-byte .pem files by returning a list of files in the ssl directory. On the Puppet master, run find /etc/puppetlabs/puppet/ssl/ -ls.

2. Match each 0-byte .pem file with its node.

   If the node associated with the 0-byte .pem is an active node:

   Regenerate the cert for the node.

   Refer to the cert regeneration documentation for PE. Please navigate to the appropriate version for your version.

   • 2018.1
   • 2017.3
   • 2016.2
   • 2016.1
   • 2015.3
   • 2015.2
   • 3.8
   • 3.7
   • 3.3
   • 3.2

   If the node associated with the 0-byte .pem is not an active node:

   Delete the 0-byte .pem file.

3. When all 0-byte files have been resolved, verify that puppet cert works. On the master, run puppet cert list --all.

If this does not resolve your issue, please open a ticket.