New CA, why do clients with old certs still work?
32 views
Skip to first unread message
Chip Schweiss
Apr 13, 2012, 2:40:53 PM4/13/12
to puppet-users
I'm in the process of scalling my puppet master to two server with a separate CA. My plan was to establish a new CA and reissue certificates. Part way through the process I noticed a behavior that seems a bit alarming.
With one of my clients pointing to the new CA and new Puppetmaster but with the old certificate I ran a 'puppetd --test --server puppet01.mydomain'
I was expecting it to fail validation and then regenerate the client certificate. However it ran without error.
Thinking maybe it's still hitting the orginal CA, I backed-up and wiped the ssl dir on the puppetmaster and restarted the pupetmaster to generate a new CA. The client still works. There are no signed certificates for this client on either puppetmaster or CA now and it still runs.
Am I missing something about how the puppetmaster decides it's okay to talk to a client, or is all the security simply on the client side, and the puppetmaster trusts any puppet client?
With one of my clients pointing to the new CA and new Puppetmaster but with the old certificate I ran a 'puppetd --test --server puppet01.mydomain'
I was expecting it to fail validation and then regenerate the client certificate. However it ran without error.
Thinking maybe it's still hitting the orginal CA, I backed-up and wiped the ssl dir on the puppetmaster and restarted the pupetmaster to generate a new CA. The client still works. There are no signed certificates for this client on either puppetmaster or CA now and it still runs.
Am I missing something about how the puppetmaster decides it's okay to talk to a client, or is all the security simply on the client side, and the puppetmaster trusts any puppet client?
Nigel Kersten
Apr 15, 2012, 7:51:06 PM4/15/12
to puppet...@googlegroups.com
On Fri, Apr 13, 2012 at 11:40 AM, Chip Schweiss <chip.s...@gmail.com> wrote:
I'm in the process of scalling my puppet master to two server with a separate CA. My plan was to establish a new CA and reissue certificates. Part way through the process I noticed a behavior that seems a bit alarming.
With one of my clients pointing to the new CA and new Puppetmaster but with the old certificate I ran a 'puppetd --test --server puppet01.mydomain'
I was expecting it to fail validation and then regenerate the client certificate. However it ran without error.
Thinking maybe it's still hitting the orginal CA, I backed-up and wiped the ssl dir on the puppetmaster and restarted the pupetmaster to generate a new CA. The client still works. There are no signed certificates for this client on either puppetmaster or CA now and it still runs.
Are you sure you're wiping the SSL dir that is actually in use? The master isn't being started with --no-ca and you have another CA with autosign on?
Am I missing something about how the puppetmaster decides it's okay to talk to a client, or is all the security simply on the client side, and the puppetmaster trusts any puppet client?
The agent and master need certs signed by the same CA. Are you positive this wasn't the case? What puppet version?
jcbollinger
Apr 16, 2012, 9:53:27 AM4/16/12
to Puppet Users
new CA" and Puppet "hitting the original CA". The CA is only involved
in signing certificates. It is not actively involved in verifying
certificates (though verifiers do use the CA's certificate).
Admitedly, that distinction can be somewhat muddy when the
Puppetmaster serves as its own CA, but it more-or-less still holds.
If your client already has a valid certificate, regardless of which CA
signed it, then that is the certificate it will present. If the
master can verify that certificate then it will accept the client.
If you want the master to reject certificates signed by the old CA,
then you must configure it so that it does not trust that CA. Even
better, also revoke all the certificates signed by the old CA and
install the corresponding CRL in the master.
John
Reply all
Reply to author
Forward
0 new messages