The Puppet Labs Issue Tracker has Moved:

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using See the following page for information on filing tickets with JIRA:

Bug #1573

`puppetca --clean' does not remove the host CSR

Added by Jos Backus over 7 years ago. Updated over 5 years ago.

Status:AcceptedStart date:09/12/2008
Priority:NormalDue date:
Assignee:-% Done:


Target version:-
Affected Puppet version:0.25.0 Branch:

We've Moved!

Ticket tracking is now hosted in JIRA:


After a `puppetca —clean ‘ (silly, I know) on the puppetmaster the $libdir/puppet/ssl/csr_.pem file is left behind. The next puppetd invocation yields the following error:

    err: Could not request certificate: Certificate does not match private key.
    Try 'puppetca --clean ' on the server.

But that advice doesn’t fix the problem.

What does work is removing the $libdir/puppet/ssl/csr_.pem file after which the next puppetd invocation properly yields a new certificate.

To handle this case, should `puppetca —clean' not also remove the CSR file if present?


#1 Updated by James Turnbull over 7 years ago

  • Category set to SSL
  • Status changed from Unreviewed to Needs Decision
  • Assignee set to Luke Kanies

Luke – if you’re happy I can make this change.

#2 Updated by Luke Kanies over 7 years ago

  • Status changed from Needs Decision to Accepted
  • Assignee changed from Luke Kanies to James Turnbull

Yes, it should.

#3 Updated by James Turnbull over 7 years ago

  • Assignee changed from James Turnbull to Puppet Community
  • Affected Puppet version changed from 0.24.4 to 0.25.0

Moving this to 0.25. In the current SSL code this requires some re-work. In the new 0.25 branch its already refactored.

#4 Updated by James Turnbull almost 7 years ago

  • Assignee deleted (Puppet Community)

#5 Updated by Markus Roberts over 6 years ago

  • Target version set to 0.25.3

#6 Updated by Markus Roberts over 6 years ago

  • Target version changed from 0.25.3 to 0.25.4

#7 Updated by James Turnbull over 6 years ago

  • Target version changed from 0.25.4 to 0.25.5

#8 Updated by Nicolas Valcarcel about 6 years ago

I’m trying to work on this as my first contribution to puppet so i learn from the code and the community since it seems simple enough, after diving in the code i found that a line for removing the file from disk should be added in self.destroy function at ssl/host.rb the only issue i have to write that line is how to get the path of the certificate, i found that maybe the inventory class can help, but i don’t find the inheriting path to use it from that function, am i missing something?

#9 Updated by James Turnbull about 6 years ago

  • Target version changed from 0.25.5 to 49

#10 Updated by James Turnbull over 5 years ago

  • Target version deleted (49)

Also available in: Atom PDF