The Puppet Labs Issue Tracker has Moved:

Bug #4007

'puppetca' needs feature to remove (/revoke) a pending certificate signing request

Added by Tore L. almost 4 years ago. Updated 11 months ago.

Status:AcceptedStart date:06/16/2010
Priority:NormalDue date:
Assignee:Charlie Sharpsteen% Done:


Target version:-
Affected Puppet version:0.25.5 Branch:
Keywords:signing customer

We've Moved!

Ticket tracking is now hosted in JIRA:

This ticket may be automatically exported to the PUP project on JIRA using the button below:


It is not possible to remove a pending certificate signing request with ‘puppetca —revoke $fqdn’:

[root@X puppet]# puppetca --list
[root@X puppet]# puppetca --revoke rhel32bit.x.local
notice: Revoked certificate with serial # Inventory of signed certificates

err: Could not call revoke: Cannot convert into OpenSSL::BN

You have to remove the certificate signing request manually. ‘puppetca’ should (IMO) do this.


#1 Updated by James Turnbull almost 4 years ago

  • Status changed from Unreviewed to Rejected

Try puppetca —clean hostname

#2 Updated by Tim Edwards about 3 years ago

  • Status changed from Rejected to Re-opened

This doesn’t work: puppetca —clean dfo22 err: Could not call revoke: Cannot convert into OpenSSL::BN

The workaround I found for this is to do the following manually: on the puppet server: rm -f /var/lib/puppet/ssl/private_keys/ /var/lib/puppet/ssl/ca/signed/ /var/lib/puppet/ssl/certs/

On the puppet client: rm -rf /var/lib/puppet/ssl/*

#3 Updated by James Turnbull about 3 years ago

  • Status changed from Re-opened to Needs More Information

TIm – what version and platform is this? Your update doesn’t provide sufficient information.

#4 Updated by Nick Rossow almost 3 years ago

  • Target version set to 2.6.x

Hi, I’m getting this same problem. I’m using Puppet master version 2.6.6 from the epel-testing repo. With puppet client version 2.6.6. Running: puppetca —clean $HOSTNAME gives this error: err: Could not call revoke: Cannot convert into OpenSSL::BN

#5 Updated by hai wu almost 3 years ago

Just hit this one with puppet 2.6.8-1. Have to sign the certificate first before cleaning it up.

#6 Updated by Ben Hughes almost 3 years ago

  • Category set to SSL
  • Status changed from Needs More Information to Accepted
  • Priority changed from Low to Normal
  • Keywords set to signing

Tested here with 2.6.8 (from gems) too.

#7 Updated by Nigel Kersten almost 3 years ago

  • Tracker changed from Feature to Bug
  • Target version changed from 2.6.x to 2.7.x

This is a bug imho, you should be able to address pending CSRs.

#8 Updated by James Turnbull over 2 years ago

  • Assignee set to Daniel Pittman

#9 Updated by Andrew Parker over 1 year ago

  • Target version deleted (2.7.x)

#10 Updated by Charlie Sharpsteen about 1 year ago

  • Keywords changed from signing to signing customer

#12 Updated by Daniel Pittman 11 months ago

  • Assignee deleted (Daniel Pittman)

#13 Updated by Charlie Sharpsteen 11 months ago

  • Assignee set to Charlie Sharpsteen

Also available in: Atom PDF