Confused by SSL revocation error

[Jonathan Gazeley]

Hi all,

I'm confused by a new error on my Puppetmaster.

It is connected to PuppetDB running on a separate server over SSL on
8081. All Puppet functions work normally, including submitting and
retrieving catalogs, facts and exported resources.

However I'm getting errors when attempting to issue "puppet node
deactivate".

[jg4461@puppet-prod PUPPETROOT]$ sudo puppet node deactivate
authconfigtest.resnet.bris.ac.uk
Error: Failed to submit 'deactivate node' command for
authconfigtest.resnet.bris.ac.uk to PuppetDB at
puppetdb.resnet.bris.ac.uk:8081: SSL_connect returned=1 errno=0
state=SSLv3 read server certificate B: certificate verify failed:
[certificate revoked for /CN=puppetdb.resnet.bris.ac.uk]
Error: Try 'puppet help node deactivate' for usage

I'm reluctant to randomly delete certs at both ends, in case I break the
rest of the functionality that is working. Can anyone explain what's
happened here?

Thanks,
Jonathan

[Jonathan Gazeley]

On 24/11/14 11:54, Jonathan Gazeley wrote:
> Hi all,
>
> I'm confused by a new error on my Puppetmaster.
>
> It is connected to PuppetDB running on a separate server over SSL on
> 8081. All Puppet functions work normally, including submitting and
> retrieving catalogs, facts and exported resources.
>
> However I'm getting errors when attempting to issue "puppet node
> deactivate".
>
> [jg4461@puppet-prod PUPPETROOT]$ sudo puppet node deactivate
> authconfigtest.resnet.bris.ac.uk
> Error: Failed to submit 'deactivate node' command for
> authconfigtest.resnet.bris.ac.uk to PuppetDB at
> puppetdb.resnet.bris.ac.uk:8081: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed:
> [certificate revoked for /CN=puppetdb.resnet.bris.ac.uk]
> Error: Try 'puppet help node deactivate' for usage
>

OK I think this is because my default PuppetDB installation has disabled
SSLv3 for Poodle, but for some reason the Puppetmaster is still trying
to use SSLv3. Is there a way I can disable this in puppetdb.conf?

[Jonathan Gazeley]

On 24/11/14 11:54, Jonathan Gazeley wrote:
>

> [jg4461@puppet-prod PUPPETROOT]$ sudo puppet node deactivate
> authconfigtest.resnet.bris.ac.uk
> Error: Failed to submit 'deactivate node' command for
> authconfigtest.resnet.bris.ac.uk to PuppetDB at
> puppetdb.resnet.bris.ac.uk:8081: SSL_connect returned=1 errno=0
> state=SSLv3 read server certificate B: certificate verify failed:
> [certificate revoked for /CN=puppetdb.resnet.bris.ac.uk]
> Error: Try 'puppet help node deactivate' for usage
>

I'm still stuck on this. I found a Jira issue[1] which might be the
cause. I deleted the puppetdb certs on the puppetdb server and on the
puppetmaster, allowed puppet agent to recreate them on puppetdb,
re-signed with puppetmaster and then copied the certs to the puppetdb
installation. I restarted the puppetdb and puppetmaster services. No
change in the behaviour.

The information in [1] sounds as if it is a client configuration issue,
but given that I've regenerated my puppetdb certs, I don't understand
the problem. Can anyone shed any light on this?

[1] https://tickets.puppetlabs.com/browse/PDB-346

Thanks,
Jonathan

[Jonathan Gazeley]

Fixed my own problem. Somehow the cert had been added to the CRL, even
though I had regenerated the cert. I deleted crl.pem and it immediately
sprang into life :)

[Alex Elman]

Jonathan,
Glad you fixed the issue! Whenever you do a cert clean or cert remove, it will automatically get added to the certificate revocation list because it is assumed those certs will never be used again.

Thanks,
-Alex

--
You received this message because you are subscribed to the Google Groups "Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/547358E6.3030609%40bristol.ac.uk.
For more options, visit https://groups.google.com/d/optout.