On Feb 18, 2011, at 5:46 PM, Jeff McCune wrote: > > Thanks for the follow up Eric, please let us know if you figure this > out. I suspect I'm going to run into this as well and may have > working with someone in training yesterday.
I believe it's is related to changing the name of the issuer for the CA, from here: http://www.mail-archive.com/[email protected]/msg09176.html When I have an empty CRL, the clients work fine. The crl looks like: # openssl crl -noout -in ca_crl.pem -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=ca Last Update: Feb 19 01:46:28 2011 GMT Next Update: Feb 18 01:46:28 2016 GMT CRL extensions: X509v3 CRL Number: 0 No Revoked Certificates. and it passes validation: # openssl crl -noout -CAfile ./ca_crt.pem -in ca_crl.pem -issuer verify OK issuer=/CN=ca As soon as I --clean a client, the CRL gets rewritten and starts failing: # openssl crl -noout -in ca_crl_fatal.pem -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=Puppet CA: puppetmaster001 Last Update: Feb 19 01:21:00 2011 GMT Next Update: Feb 18 01:21:00 2016 GMT CRL extensions: X509v3 CRL Number: 7 [some revoked certs here] # openssl crl -noout -CAfile ./ca_crt.pem -in ca_crl_fatal.pem -text Error getting CRL issuer certificate Could it be that the issuer name change is causing the ssl client libraries to fail to match up the CRL with the issuing CA? - Eric Sorenson - N37 17.255 W121 55.738 - http://twitter.com/ahpook - -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
