Issue #9118 has been updated by James Turnbull. Status changed from Needs More Information to Needs Decision Assignee changed from Alexander Piavlo to Nigel Kersten Affected Puppet version set to 2.7.3 Keywords set to CRL
Nigel - I think there are a series of bugs related to SSL/CRL including #9205 and a series of others. That's not counting the broken chained CA CRL issues. ---------------------------------------- Bug #9118: Puppet client does not update and does consult the crl during authentication https://projects.puppetlabs.com/issues/9118 Author: Alexander Piavlo Status: Needs Decision Priority: Normal Assignee: Nigel Kersten Category: SSL Target version: Affected Puppet version: 2.7.3 Keywords: CRL Branch: I my tests puppet client never updates it's /var/lib/puppet/ssl/ca/ca_crl.pem from the master even if I delete it - it is not fetched from master then client runs. Another issue is that puppet client does not consult the crl - after revoking cert of node dev2.internal on master - and manually copying /var/lib/puppet/ssl/ca/{ca_crl.pem,inventory.txt} to client mon1a.internal and restarting the client to make sure it can pickup the crl changes - I was still able to trigger client puppet run on mon1a.internal from dev2.internal. It looks like puppet - client does not take the crl into consideration then authenticating. The relevant config on mon1a.internal is ---- # allow all authenticated nodes to trigger puppet run path /run method save auth yes allow * ---- this ACL comes first in the auth.conf file And this is the command I used to triger puppet run from dev2.internal curl --cert /var/lib/puppet/ssl/certs/dev2.internal.pem --key /var/lib/puppet/ssl/private_keys/dev2.internal.pem --cacert /var/lib/puppet/ssl/certH "Content-Type: text/pson" -d "{}" https://mon1a.internal:8139/production/run/dev2.internal Could these problems be taken care of? Thanks Alex -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
