When I run
puppet cert clean on my Puppet primary server (called the master in older versions of Puppet Enterprise), it fails with a
nested asn1 error. I can’t clean existing certs or sign new certs. How can I resolve the issue?
Error: Cached certificate_revocation_list for ca failed: nested asn1 error Error: nested asn1 error
Version and installation information
PE version: All supported versions
You might receive this error due to a known issue with OpenSSL that causes CRL (certificate revocation list) files over 1MB in size not to load.
To resolve the issue, regenerate your existing client and CA (certificate authority) CRL files.
On the Puppet primary server:
Stop the Puppet agent service:
puppet resource service puppet ensure=stopped
Stop Puppet Server:
puppet resource service pe-puppetserver ensure=stopped
Back up the CA CRL:
mv /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem.$(date +%s).bak
Back up the agent CRL:
mv /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem.$(date +%s).bak
Copy the infrastructure CRL to the CA CRL and agent CRL:
cp /etc/puppetlabs/puppet/ssl/ca/infra_crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem ; cp /etc/puppetlabs/puppet/ssl/ca/infra_crl.pem /etc/puppetlabs/puppet/ssl/crl.pem
Set permissions on the regenerated CRLs:
chown pe-puppet:pe-puppet /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
Start Puppet Server:
puppet resource service pe-puppetserver ensure=running
Run Puppet agent:
puppet agent --test
Ensure that the Puppet agent service is restarted:
puppet resource service puppet ensure=running
How can we improve this article?
Please sign in to leave a comment.