On 02/06/2015 05:15 PM, Josh Bronson wrote: > I just filed https://tickets.puppetlabs.com/browse/ENTERPRISE-515 for > this. The workaround is to disable CRL checking: > > 1. Add "certificate_revocation = false" to the [agent] section of the > puppet.conf file as described at > https://docs.puppetlabs.com/puppet/latest/reference/config_ssl_external_ca.html, > and > 2. comment out the line containing SSLCARevocationFile in > /etc/puppetlabs/httpd/conf.d/puppetdashboard.conf.
Yes, and honestly, I really don't see what else Puppet could do in this situation to help you out. > I'm using FreeIPA as a certificate authority, and it uses that field > to communicate to users when the next update will be ready. It seems > to like to update it a few times a day. The trouble is, there is > always going to be a moment *after* the update is ready but *before* a > script has had a chance to update the CRL and restart the > Puppetmaster. During this time, Puppet agent runs will fail. Is there > any way to tell Puppet that slightly out-of-date CRLs are okay? > Otherwise, I think the next step is to try disabling checks to the > CRL, but I like the fact that Puppet checks it by default. This is actually an issue with the CA, from my point of view. It should really specify next update times that are sufficiently late after the actual update, so that SSL clients don't run a risk of hitting that time window. Perhaps there is a configuration setting to that effect? Cheers, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/54D952A3.3050406%40Alumni.TU-Berlin.de. For more options, visit https://groups.google.com/d/optout.
