puppet client can talk to puppetmaster despite master having revoked the certificate

[chakkerz]

Hello there

I just noticed an oddity, I revoked a client's certificate to test our kickstart process and instead of getting an error (cause i had forgotten to nuke the client's /var/lib/puppet) i got a successful puppet run.

My server (tangerine) has no certificate for the client (cakewalk):

[root@tangerine puppet]# puppet cert --all | grep cakewalk

[root@tangerine puppet]# pwd

/var/lib/puppet

[root@tangerine puppet]# find ./ | grep cakewalk

./yaml/node/cakewalk.its.uq.edu.au.yaml

./yaml/facts/cakewalk.its.uq.edu.au.yaml

[root@tangerine puppet]# ls ssl/

ca  certificate_requests  certs  crl.pem  private  private_keys  public_keys

[root@tangerine puppet]# 

but if i invoke a puppet run it will do it quite happily.

[root@cakewalk ~]# puppet agent -vt --server=tangerine.example.org

info: Retrieving plugin

info: Loading facts in /var/lib/puppet/lib/facter/homedirs.rb

...

info: Loading facts in /var/lib/puppet/lib/facter/cfservd_started.rb

info: Caching catalog for cakewalk.its.uq.edu.au

info: Applying configuration version '1349933627'

notice: /Stage[main]/Rhel6-timezone/Exec[verify the source timezone info is corrupt]/returns: executed successfully

...

notice: /Stage[main]/Rhel6-repos/Rhel6-repos::Nerf_repo[disable mirrors-rpmforge-extras]/Exec[nerf mirrors-rpmforge-extras]/returns: executed successfully

^Cnotice: Caught INT; calling stop

[root@cakewalk ~]#

I don't have an autosign.conf that would allow cakewalk in:

[root@tangerine puppet]# cat /etc/puppet/autosign.conf 

[root@tangerine puppet]# 

and tcpdump verified that there is network traffic between the hosts.

[chakkerz]

Sorry, i forgot to mention that this was on puppet 2.7.19 on RHEL6.3 sourced from puppetlabs's repo.