how to prevent certificate revocation list (CRL) from expiring
2,775 views
Skip to first unread message
Josh Bronson
Feb 4, 2015, 5:45:36 PM2/4/15
to puppet...@googlegroups.com
I've noticed that if a Puppet agent happens to contact the master after the "next update" time listed in the CRL
openssl crl -in `puppet master --configprint hostcrl` -noout -nextupdate
that the master has most recently read on startup, then it will fail with the message:
Error: /File[/var/opt/lib/pe-puppet/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL has expired for /O=*redacted*/CN=*redacted*]
I'm using FreeIPA as a certificate authority, and it uses that field to communicate to users when the next update will be ready. It seems to like to update it a few times a day. The trouble is, there is always going to be a moment *after* the update is ready but *before* a script has had a chance to update the CRL and restart the Puppetmaster. During this time, Puppet agent runs will fail. Is there any way to tell Puppet that slightly out-of-date CRLs are okay? Otherwise, I think the next step is to try disabling checks to the CRL, but I like the fact that Puppet checks it by default.
- Josh Bronson
Josh Bronson
Feb 6, 2015, 11:15:36 AM2/6/15
to puppet...@googlegroups.com
I just filed https://tickets.puppetlabs.com/browse/ENTERPRISE-515 for this. The workaround is to disable CRL checking:
1. Add "certificate_revocation = false" to the [agent] section of the puppet.conf file as described at https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html, and
2. comment out the line containing SSLCARevocationFile in /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf.
1. Add "certificate_revocation = false" to the [agent] section of the puppet.conf file as described at https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html, and
2. comment out the line containing SSLCARevocationFile in /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf.
Felix Frank
Feb 9, 2015, 7:33:06 PM2/9/15
to puppet...@googlegroups.com
On 02/06/2015 05:15 PM, Josh Bronson
wrote:
I just filed https://tickets.puppetlabs.com/browse/ENTERPRISE-515 for this. The workaround is to disable CRL checking:
1. Add "certificate_revocation = false" to the [agent] section of the puppet.conf file as described at https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html, and
2. comment out the line containing SSLCARevocationFile in /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf.
Yes, and honestly, I really don't see what else Puppet could do in
this situation to help you out.
I'm using FreeIPA as a certificate authority, and it uses that field to communicate to users when the next update will be ready. It seems to like to update it a few times a day. The trouble is, there is always going to be a moment *after* the update is ready but *before* a script has had a chance to update the CRL and restart the Puppetmaster. During this time, Puppet agent runs will fail. Is there any way to tell Puppet that slightly out-of-date CRLs are okay? Otherwise, I think the next step is to try disabling checks to the CRL, but I like the fact that Puppet checks it by default.
This is actually an issue with the CA, from my point of view. It
should really specify next update times that are sufficiently late
after the actual update, so that SSL clients don't run a risk of
hitting that time window. Perhaps there is a configuration setting
to that effect?
Cheers,
Felix
Cheers,
Felix
Reply all
Reply to author
Forward
0 new messages