On Feb 21, 5:53 am, Felix Frank <[email protected]> wrote: > On 02/19/2011 03:43 AM, Eric Sorenson wrote: > > > Could it be that the issuer name change is causing the ssl client libraries > > to fail to match up the CRL with the issuing CA? > > Definitely. This CRL is not related to your CA cert in any way. It's > probably a bug that the CRL is created this way. > > Can you find a CA cert with the Subject CN as in the Issuer field above > anywhere on your system?
Hah, got it. There was not a *cert* with that Subject. There was however, a CRL, outside of the CA area, which puppet-cert read and reused the Issuer field to create the new CRL. I think this is a bug because the client and CA SSL areas ought to be distinct, but it's probably quite rare for this situation to arise. I updated my previous "bad ssl error messages" bug with this case and hope it will help other people. If I had to hazard a guess as to why it does this, it looks like the ssl/certificate_revocation_list.rb uses the same indirector file location (:hostcrl from indirector/certificate_revocation_list/ file.rb) whether its reading or writing a CRL. But I don't actually understand the indirector so this could be completely off-base. -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
