puppet cert list --all shows revoked certificates even though they're not?

2,695 views
Skip to first unread message

Gonzalo Servat

unread,
Jan 9, 2012, 8:11:44 PM1/9/12
to puppet...@googlegroups.com
Hi All,

As per the subject, "puppet cert list --all" is showing a heap of revoked certificates, even though they're not actually revoked. I can go on any of the revoked clients' host and trigger a Puppet run, and it'll work fine.

The only reason why they appear revoked is because the systems were re-installed, so I've issued a puppetca --clean <host> and signed the new certificate, and it immediately appears as revoked (even though it's not).

Any ideas?

Thanks
Gonzalo

Jo Rhett

unread,
Jan 9, 2012, 8:18:48 PM1/9/12
to puppet...@googlegroups.com
The previous certificate was revoked, and the new one was signed.  So what you are seeing is true…

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To post to this group, send email to puppet...@googlegroups.com.
To unsubscribe from this group, send email to puppet-users...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.

-- 
Jo Rhett
Net Consonance : consonant endings by net philanthropy, open source and other randomness

Gonzalo Servat

unread,
Jan 9, 2012, 8:26:26 PM1/9/12
to puppet...@googlegroups.com
Thanks for your reply.

I was expecting to see something like:

+ host    (good fingerprint here)
- host    (revoked fingerprint here) (certificate revoked)

... but instead I just see the second line. I guess I just find it a bit confusing.

- Gonzalo

Jo Rhett

unread,
Jan 9, 2012, 9:14:26 PM1/9/12
to puppet...@googlegroups.com
I agree. I would open a bug report :)

Gonzalo Servat

unread,
Jan 9, 2012, 9:54:54 PM1/9/12
to puppet...@googlegroups.com
Done :)

Nan Liu

unread,
Jan 9, 2012, 11:17:46 PM1/9/12
to puppet...@googlegroups.com
I couldn't really reproduce it. I would check your CRL revocation and
match it with your certificate serial number in puppet cert -p
<certname>.

openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text
Certificate Revocation List (CRL):
...
Revoked Certificates:
Serial Number: 0A
...
Serial Number: 0C
...

puppet cert -p demo.puppetlabs.lan
...
Serial Number: 13 (0xd)

If these number match, it's revoked. And if your puppet master is
still accepting agents with revoked certs, it might be a CRL
misconfiguration. It's easy to tell if you resigned a cert by looking
at inventory.txt (because the same CN will show up twice):

cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt
...
0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT /CN=demo.puppetlabs.lan
0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT /CN=demo.puppetlabs.lan

With all the info above, you should be able to tell 0xc is revoked,
the server currently have 0xd which is still valid and puppet cert -la
should show + demo.puppetlabs.lan.

Thanks,

Nan

Gonzalo Servat

unread,
Jan 10, 2012, 12:21:41 AM1/10/12
to puppet...@googlegroups.com
Thanks for your reply, Nan.

I had a look at the ca_crl.pem and the "puppet cert -p <host>" output, and the serial number for the host is not listed in the revoked certificates list in ca_crl.pem, yet puppet cert -la shows the certificate as revoked for the host?

- Gonzalo
Reply all
Reply to author
Forward
0 new messages