Re: [Puppet Users] autosign by hostname not working?

Thu, 19 May 2011 16:47:05 -0700 

On Thu, May 19, 2011 at 2:37 PM, Arnau Bria <arnaub...@pic.es> wrote:
> Hi all,
>
> till today we had a *.our.doamin in autosign.conf. So any host from
> our.domain could get a signed certificate if it contacts our master.
> But we've decide to move that "*" to a complet list of hostnames.
>
> So, I've pasted all the names to autosign file, restarted master (not
> sure if needed) So far, so good. So, I removed one name from autosign
> file, clean its cert, and ran puppet on the host, but it's still able
> to contact master and get its catalogue when it's supposed to get any
> kind of error.
>
> So, how is it possible? where am I'm missunderstanding autosign
> behiavour?
>

Here's a list of things to consider:
Is the certificate revoked in the certificate revocation list? The
current version of puppet cert --clean will revoke then clean, and I'm
not sure the revoke was added in recent versions of puppet.
openssl crl -text -noout -in crl.pem

Does the client certificate serial number match the CRL?
Either review ca/inventory.txt, or perform a puppet cert --print of
the certificate
# puppet cert -p foo
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 16 (0x10) (<- This serial should be revoked in CRL)

If you are using apache is it configured to use the CRL? (see passenger docs)
    SSLCARevocationFile
    SSLVerifyClient
    SSLVerifyDepth

If you have multiple puppet masters are you distributing the CRL?

You can test the certificate with openssl:
openssl s_client -host puppet -port 8140 -cert
/path/to/ssl/certs/node.domain.com.pem -key
/path/to/ssl/private_keys/node.domain.com.pem -CAfile
/path/to/ssl/certs/ca.pem

Brice have a detailed blog on more troubleshooting steps:
http://www.masterzen.fr/2010/11/14/puppet-ssl-explained/

Thanks,

Nan

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-users?hl=en.

Reply via email to