Issue #4948 has been updated by Brice Figureau.
Jeff McCune wrote: > Unfortunately these error messages come from the openssl ruby layer itself > rather than puppet and it's extremely difficult for puppet to determine _why_ > a certificate verification check failed in the openssl layer. I don't think it's right. You can define a verify_callback on any ssl context (and this can be done with Net::HTTPS too). This proc will be called after validation is done and you can ask the context for more information about the error. The question is: isn't it an information disclosure to let the client know his cert has been revoked? ---------------------------------------- Bug #4948: connecting from a client whose cert is revoked fails without indicating why http://projects.puppetlabs.com/issues/4948 Author: eric sorenson Status: Accepted Priority: Normal Assignee: Category: SSL Target version: Statler Affected version: 0.25.0 Keywords: Branch: had a confusing time tonight trying to debug some systems which were failing puppetd -tv -- the error output looked like: <pre> [r...@it11p00me-acctsvc001 /var/lib/puppet]# puppetd -tv info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet/plugins: certificate verify failed info: Loading facts in locallinks info: Loading facts in locallinks err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run </pre> The cause was that the cert's serial number was in the CRL downloaded from the CA - probably due to a misunderstanding on my part of how exactly to issue new certificates to hosts whose private keys are lost due to re-imaging. But regardless it would be nice to emit some kind of informative error message if we find out the local certificate is in the CA's CRL. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
