Issue #7292 has been updated by Nigel Kersten. Status changed from Needs Decision to Accepted Priority changed from Normal to Low Target version changed from Statler to 2.7.1
So this really isn't a big deal on the agent. By default it will go and find the CRL again and download it. <pre> -bash-3.2# puppet agent -t info: /User[puppet]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: Caching catalog for centos5-1.localdomain info: Applying configuration version '1304036548' notice: Finished catalog run in 0.05 seconds -bash-3.2# puppet certificate_revocation_list destroy foo notice: Removing file Puppet::SSL::CertificateRevocationList foo at '/etc/puppet/ssl/crl.pem' 1 -bash-3.2# puppet agent -t info: /User[puppet]: Provider useradd does not support features manages_aix_lam; not managing attribute ia_load_module info: Caching certificate_revocation_list for ca info: Caching catalog for centos5-1.localdomain info: Applying configuration version '1304036567' notice: Finished catalog run in 0.05 seconds </pre> We also block this over REST by default: <pre> warning: Denying access: Forbidden request: centos5-1.localdomain(172.16.140.153) access to /certificate_revocation_list/foo [find] authenticated at line 98 err: Forbidden request: centos5-1.localdomain(172.16.140.153) access to /certificate_revocation_list/foo [find] authenticated at line 98 </pre> You can delete the CRL as root on the master, but at that point you've rather explicitly said what you intend to do. ---------------------------------------- Bug #7292: certificate_revocation_list face can blow away the local copy of the CRL https://projects.puppetlabs.com/issues/7292 Author: Nick Fagerlund Status: Accepted Priority: Low Assignee: Nigel Kersten Category: Faces Target version: 2.7.1 Affected Puppet version: 2.7.0rc1 Keywords: Branch: So if you try invoking delete on the crl face with a `--terminus rest`, it'll fail and complain that delete won't accept options. But it'll quite happily delete your local copy of the CA's CRL! Without even warning you about it. [root@hawkmaster ~]# puppet certificate_revocation_list destroy x notice: Removing file Puppet::SSL::CertificateRevocationList x at '/var/lib/puppet/ssl/crl.pem' 1 -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
