Jira (PUP-2310) Puppet client does not update and does consult the crl during authentication

5 views
Skip to first unread message

Josh Cooper (JIRA)

unread,
Mar 16, 2015, 7:06:27 PM3/16/15
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-2310
 
Re: Puppet client does not update and does consult the crl during authentication

Providing some context about why PR #3247 was closed. Puppet hardcodes the CRL next_update time to be 5 years in the future, see https://github.com/puppetlabs/puppet/blob/3.7.4/lib/puppet/ssl/certificate_revocation_list.rb#L88. With this PR, the puppet agent would not consider its cache to be stale for 5 years, leaving us in effectively the same position we are in today.

If you patched puppet to use a shorter next_update time, or made it configurable, and the agent's CRL expired, then in the common case where no agent certs had been revoked, the agent would download the same CRL it had, discover the CRL is still expired, and hopefully not get into an infinite loop.

So somehow the CRL on the master needs to be updated periodically (to bump the next_update time). AFAIK, the only way to do that from the puppet CLI is to revoke a cert. So you could generate a temp cert, and then revoke it, but that's a bit lame. Ideally, the certificate_revocation application would have an update command that just bumps the next_update time and resigns the CRL.

Also, the CA cert's not_after time is determined by puppet's ca_ttl setting which also defaults to 5 years, see https://github.com/puppetlabs/puppet/blob/3.7.4/lib/puppet/defaults.rb#L962-L967. So we'd need to make sure the CA doesn't expire before the CRL.

Long term we are looking at adding a cert-related CLI to puppetserver and adding OCSP support. /cc Christopher Price, Jeremy Barlow

Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v6.3.10#6340-sha1:7ea293a)
Atlassian logo

John De Stefano (JIRA)

unread,
Sep 22, 2016, 5:12:33 PM9/22/16
to puppe...@googlegroups.com

We started using Puppet in production five years ago this month. Guess what happened? Our client CRLs have expired, so they have stopped checking in.

It would be great if someone could have a look at this? It was last commented on 1.5 years ago, and it's kind of important – not just for us, but anyone whose Puppet infrastructure is approaching five years of age.

Thanks!

This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe)
Atlassian logo

Ruth Linehan (JIRA)

unread,
May 16, 2017, 2:01:05 PM5/16/17
to puppe...@googlegroups.com

Moses Mendoza (JIRA)

unread,
May 18, 2017, 1:46:15 PM5/18/17
to puppe...@googlegroups.com

Owen Rodabaugh (JIRA)

unread,
Nov 8, 2017, 7:12:05 PM11/8/17
to puppe...@googlegroups.com
Owen Rodabaugh updated an issue
Change By: Owen Rodabaugh
CS Priority: Needs Priority
This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db)
Atlassian logo

Christopher Wood (JIRA)

unread,
Feb 6, 2018, 2:20:03 PM2/6/18
to puppe...@googlegroups.com

Maggie Dreyer (JIRA)

unread,
Oct 2, 2018, 11:56:05 AM10/2/18
to puppe...@googlegroups.com
Maggie Dreyer commented on Bug PUP-2310

We attempted to make this change and had to revert it due to issues with PE's HA capability, see PUP-9152 (specifically this comment. We hope to be able to re-implement the changes in that ticket as part of making improvements to the HA story for the CA.

This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 1:48:04 PM4/10/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 1:49:06 PM4/10/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
Apr 10, 2019, 2:04:40 PM4/10/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.5.0
Fix Version/s: PUP 6.4.z

Josh Cooper (JIRA)

unread,
Apr 30, 2019, 6:46:05 PM4/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Fix Version/s: PUP 6.4.z
Fix Version/s: PUP 6.5.0

Josh Cooper (JIRA)

unread,
Apr 30, 2019, 6:46:06 PM4/30/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Sprint: Coremunity Grooming Platform Core KANBAN

Josh Cooper (JIRA)

unread,
Apr 30, 2019, 6:46:06 PM4/30/19
to puppe...@googlegroups.com

Kris Bosland (JIRA)

unread,
May 10, 2019, 4:18:04 PM5/10/19
to puppe...@googlegroups.com

Josh Cooper (JIRA)

unread,
May 13, 2019, 2:27:04 PM5/13/19
to puppe...@googlegroups.com
Josh Cooper updated an issue
Change By: Josh Cooper
Release Notes Summary: By default, puppet agents download their CRL from the CA once, but never refresh it. In 6.5.0 is is now possible to specify the `crl_refresh_interval` puppet setting. If specified as a duration, such as 8h, 7d, etc, then the agent will refresh its CRL whenever it next runs and the elapsed time since the CRL was last refreshed exceeds the duration.

In general, the duration should be greater than the `runinterval`. Setting it to an equal or lesser value will cause the CRL to be refreshed on every agent run.

If the agent downloads a new CRL, then it will use the new CRL for all subsequent network requests. If the refresh request fails or if the CRL is unchanged on the CA, then the agent run will continue using the local CRL it already has.
Release Notes: Enhancement

Heston Hoffman (JIRA)

unread,
Jun 12, 2019, 5:35:04 PM6/12/19
to puppe...@googlegroups.com

Heston Hoffman (JIRA)

unread,
Jun 12, 2019, 6:13:02 PM6/12/19
to puppe...@googlegroups.com
Heston Hoffman updated an issue
Change By: Heston Hoffman
Labels: redmine resolved-issue-added resolved_issue_added
Reply all
Reply to author
Forward
0 new messages