Why does my Puppet Master randomly revoke my Agent's certificate?

[Jason Oakley]

My servers were working fine, when I got this error:

Inventory

Could not retrieve facts from inventory service: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked

Now, everything was working fine. Due to this error, I re-created the certificate and all was well. Then, I logged onto the Master a day or two later and the certificate is yet again revoked.

How do I stop this?

TIA

[jcbollinger]

Puppet does not perform automatic certificate revokations.  I have personally crawled the code to check.  IIRC, the last time we had a question like this one, the user eventually discovered a separate automated process in his environment that was revoking certain certificates.  If you have any kind of automated process around issuing certs, then that's the first place I would look.

You could also consider making your ssl/ directory and everything in it read-only (immutable, if necessary), to try to identify the rogue behavior by forcing it to error out.


John

[Jason Oakley]

Thanks. I'll look at that, but the only thing running on my Master server is Puppet Master. My Agent server only has Minecraft, PHP, MySQL, WordPress.. nothing using certificates at all.

[Eric Sorenson]

Note too that the certificate revocation list only contains serial numbers. So it could be that you are getting duplicate serial numbers issued, and the number matches one that was cleaned/revoked at some point in the past, so the CRL contains its number.  More in my ssl troubleshooting guide on ask:

http://ask.puppetlabs.com/question/25/how-can-i-troubleshoot-problems-with-puppets-ssl-layer/