Issue #2890 has been updated by Peter Meier.
Luke Kanies wrote: > We should make two fixes here: > > 1) When the client finds out it has a bad cert, it should remove the cached > cert. +1 > 2) When the server receives a new CSR, it should remove any existing cert for > the client. I think this one step will fix 99% of the problems people have > with SSL. yes it would, but wouldn't it then be possible that a malicious client could knock off all the existing clients with a bunch of CSR? Or am I just wrong in thinking that a client with the old cert (which was never thought to be removed) can't connect anymore? ---------------------------------------- Bug #2890: Puppetd: signed certificate retrieval "Retrieved certificate does not match private key" http://projects.reductivelabs.com/issues/2890 Author: Silviu Paragina Status: Accepted Priority: Low Assigned to: Markus Roberts Category: SSL Target version: 0.25.2 Affected version: 0.25.1 Keywords: Branch: Install a new client let's call it client1 Steps: 1. run puppetd --test on client 2. run puppetca --sign client1 on server 3. run rm -rf /var/lib/puppet/ssl on the client (equivalent with reinstalling the os on the client) 4. run puppetd --test on the client Now you will get as expected the "Retrieved certificate does not match private key" error. But the certificate the server gave is stored in /var/lib/puppet/ssl/certs and puppetd will try to use it on future runs To prove that do this 2 final steps 5. run puppetca --clean client1 6. puppetd --test if you analyze this run you will notice that the client does not even contact the server, it just loads the local certificates and bails out because the private/public key pair doesn't match. Workaround: delete /var/lib/puppet/ssl/cers/client1.pem from the client (or the equivalent file) I think the client shouldn't store the certificate received from the server unless it matches. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://reductivelabs.com/redmine/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
