When I run puppet cert clean on my Puppet primary server (called the master in older versions of Puppet Enterprise), it fails with a nested asn1 error. I can’t clean existing certs or sign new certs. How can I resolve the issue?
Error messages
Error: Cached certificate_revocation_list for ca failed: nested asn1 error Error: nested asn1 error
Version and installation information
PE version: All supported versions
OS: Any
Solution
You might receive this error due to a known issue with OpenSSL that causes CRL (certificate revocation list) files over 1MB in size not to load.
To resolve the issue, regenerate your existing client and CA (certificate authority) CRL files.
On the Puppet primary server:
-
Stop the Puppet agent service:
puppet resource service puppet ensure=stopped -
Stop Puppet Server:
puppet resource service pe-puppetserver ensure=stopped -
Back up the CA CRL:
mv /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem.$(date +%s).bak -
Back up the agent CRL:
mv /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem.$(date +%s).bak -
Copy the infrastructure CRL to the CA CRL and agent CRL:
cp /etc/puppetlabs/puppet/ssl/ca/infra_crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem ; cp /etc/puppetlabs/puppet/ssl/ca/infra_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem -
Set permissions on the regenerated CRLs:
chown pe-puppet:pe-puppet /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -
Start Puppet Server:
puppet resource service pe-puppetserver ensure=running -
Run Puppet agent:
puppet agent --test -
Ensure that the Puppet agent service is restarted:
puppet resource service puppet ensure=running
How can we improve this article?
0 comments
Please sign in to leave a comment.
Related articles