I couldn't really reproduce it. I would check your CRL revocation and
match it with your certificate serial number in puppet cert -p
<certname>.
openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text
Certificate Revocation List (CRL):
...
Revoked Certificates:
Serial Number: 0A
...
Serial Number: 0C
...
puppet cert -p demo.puppetlabs.lan
...
Serial Number: 13 (0xd)
If these number match, it's revoked. And if your puppet master is
still accepting agents with revoked certs, it might be a CRL
misconfiguration. It's easy to tell if you resigned a cert by looking
at inventory.txt (because the same CN will show up twice):
cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt
...
0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT /CN=demo.puppetlabs.lan
0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT /CN=demo.puppetlabs.lan
With all the info above, you should be able to tell 0xc is revoked,
the server currently have 0xd which is still valid and puppet cert -la
should show + demo.puppetlabs.lan.
Thanks,
Nan
On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat <[email protected]> wrote:
> Done :)
>
> https://projects.puppetlabs.com/issues/11854
>
>
> On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett <[email protected]> wrote:
>>
>> I agree. I would open a bug report :)
>>
>> On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote:
>>
>> Thanks for your reply.
>>
>> I was expecting to see something like:
>>
>> + host (good fingerprint here)
>> - host (revoked fingerprint here) (certificate revoked)
>>
>> ... but instead I just see the second line. I guess I just find it a bit
>> confusing.
>>
>> - Gonzalo
>>
>> On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <[email protected]>
>> wrote:
>>>
>>> The previous certificate was revoked, and the new one was signed. So
>>> what you are seeing is true…
>>>
>>> On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote:
>>>
>>> As per the subject, "puppet cert list --all" is showing a heap of revoked
>>> certificates, even though they're not actually revoked. I can go on any of
>>> the revoked clients' host and trigger a Puppet run, and it'll work fine.
>>>
>>> The only reason why they appear revoked is because the systems were
>>> re-installed, so I've issued a puppetca --clean <host> and signed the new
>>> certificate, and it immediately appears as revoked (even though it's not).
>>>
>>> Any ideas?
>>>
>>> Thanks
>>> Gonzalo
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to [email protected].
>>> To unsubscribe from this group, send email to
>>> [email protected].
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>>
>>>
>>> --
>>> Jo Rhett
>>> Net Consonance : consonant endings by net philanthropy, open source and
>>> other randomness
>>>
>>>
>>> --
>>> You received this message because you are subscribed to the Google Groups
>>> "Puppet Users" group.
>>> To post to this group, send email to [email protected].
>>> To unsubscribe from this group, send email to
>>> [email protected].
>>> For more options, visit this group at
>>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>>
>>
>> --
>> Jo Rhett
>> Net Consonance : consonant endings by net philanthropy, open source and
>> other randomness
>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Puppet Users" group.
>> To post to this group, send email to [email protected].
>> To unsubscribe from this group, send email to
>> [email protected].
>> For more options, visit this group at
>> http://groups.google.com/group/puppet-users?hl=en.
>
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to [email protected].
> To unsubscribe from this group, send email to
> [email protected].
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
