CRL is not honored by the puppetmaster.
59 views
Skip to first unread message
Dan Mahoney
Jun 15, 2016, 11:39:04 PM6/15/16
to puppet...@googlegroups.com
Hey all,
This terrifies me.
As part of my certificate roll, I did, on my master:
root@pm:~ # puppet cert clean somehost.foo.org
Notice: Revoked certificate with serial 43
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/ca/signed/somehost.foo.org.pem'
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/certs/somehost.foo.org.pem'
If I run it again, it re-revokes the cert, but of course there's nothing
to delete. Doing puppet ca revoke somehost.foo.org also redoes the
revocation.
However the agent happily continues to download catalogs. (Or more
accurately, the master continues to hand them out).
I've verified that the cert is listed as revoked in *both* the host CRL as
well as the CA CRL, using the following:
openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem
(where it's listed as 2B, because it's in hex, but the revoke date is
right).
It's also in the host ca on the puppetmaster -- so the two places there's
a CA, it's listed with the right date. There's only one place each of
these files can be pointed to in puppet.conf, so it's not possible that
I've set it to be written, but not actually used, is it?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
This terrifies me.
As part of my certificate roll, I did, on my master:
root@pm:~ # puppet cert clean somehost.foo.org
Notice: Revoked certificate with serial 43
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/ca/signed/somehost.foo.org.pem'
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/certs/somehost.foo.org.pem'
If I run it again, it re-revokes the cert, but of course there's nothing
to delete. Doing puppet ca revoke somehost.foo.org also redoes the
revocation.
However the agent happily continues to download catalogs. (Or more
accurately, the master continues to hand them out).
I've verified that the cert is listed as revoked in *both* the host CRL as
well as the CA CRL, using the following:
openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem
(where it's listed as 2B, because it's in hex, but the revoke date is
right).
It's also in the host ca on the puppetmaster -- so the two places there's
a CA, it's listed with the right date. There's only one place each of
these files can be pointed to in puppet.conf, so it's not possible that
I've set it to be written, but not actually used, is it?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
R.I.Pienaar
Jun 16, 2016, 1:38:57 AM6/16/16
to puppet...@googlegroups.com
The CRL tends to only be read at startup by the web server. So restart and it should work - if non puppetserver you should have configured it correctly though
---
R.I.Pienaar
---
R.I.Pienaar
Kurt Wall
Jun 16, 2016, 1:07:46 PM6/16/16
to puppet...@googlegroups.com
On Wed, Jun 15, 2016 at 8:38 PM, Dan Mahoney <goo...@gushi.org> wrote:
root@pm:~ # puppet cert clean somehost.foo.org
Notice: Revoked certificate with serial 43
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at '/var/puppet/ssl/ca/signed/somehost.foo.org.pem'
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at '/var/puppet/ssl/certs/somehost.foo.org.pem'
If I run it again, it re-revokes the cert, but of course there's nothing to delete. Doing puppet ca revoke somehost.foo.org also redoes the revocation.
However the agent happily continues to download catalogs. (Or more accurately, the master continues to hand them out).
I've verified that the cert is listed as revoked in *both* the host CRL as well as the CA CRL, using the following:
openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem
(where it's listed as 2B, because it's in hex, but the revoke date is right).
It's also in the host ca on the puppetmaster -- so the two places there's a CA, it's listed with the right date. There's only one place each of these files can be pointed to in puppet.conf, so it's not possible that I've set it to be written, but not actually used, is it?
The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can SIGHUP it to force the reload without having to incur the overhead of a full server restart (https://docs.puppet.com/puppetserver/latest/restarting.html).
Dan Mahoney
Jun 17, 2016, 12:14:54 AM6/17/16
to puppet...@googlegroups.com
On Thu, 16 Jun 2016, Kurt Wall wrote:
> The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can SIGHUP it to force the reload without having to incur the overhead of a full server
> restart (https://docs.puppet.com/puppetserver/latest/restarting.html).
>
Thanks Kurt, this helped!
> The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can SIGHUP it to force the reload without having to incur the overhead of a full server
> restart (https://docs.puppet.com/puppetserver/latest/restarting.html).
>
I'd think doing a revoke would cause a forced reload of the CRL -- at
least if I'm using the built-in webrick puppetmaster (maybe it would
stat() the file and check the date to see if there's a reload?). I guess
I'd be wrong. As it's largely deprecated, suggesting improvements to it
seems sort of moot.
(It would also be nice if the CA had some kind of hook it could run when
you do a revoke -- like an apachectl graceful).
Reading up, it looks like if I'm using apache (which I just switched over
to), I can configure an OCSP responder on the same box, and have apache
check that on the fly, which would save apache from having to read a
static file. In that way, revoked really is revoked, immediately.
As mentioned in a previous thread, it would be good if puppet fired up its
own OCSP responder, and embedded the OCSP url into the certificates it
issues.
Reply all
Reply to author
Forward
0 new messages