Issue #4948 has been updated by eric sorenson.
The same error cuts both ways apparently. We had issued a small number (~10) of certificates with overlapping serial numbers and revoked some of them as hosts were reimaged. One of the revoked serial numbers belonged to a host *and* the certificate for the 'puppet.mydomain.com' VIP. So when clients downloaded the CRL, they stopped trusting the VIP. This was only discoverable through packet analysis: (10.1.1.1 is the client, 10.2.2.2 is the VIP fronting the puppetmaster) [r...@host ~]# tshark -s1500 -i eth0 -n -d tcp.port==8140,ssl port 8140 0.000000 10.1.1.1 -> 10.2.2.2 TCP 51532 > 8140 [SYN] Seq=0 Win=5840 Len=0 MSS=1460 TSV=3705949461 TSER=0 WS=7 0.000527 10.2.2.2 -> 10.1.1.1 TCP 8140 > 51532 [SYN, ACK] Seq=0 Ack=1 Win=8190 Len=0 MSS=1460 0.000543 10.1.1.1 -> 10.2.2.2 TCP 51532 > 8140 [ACK] Seq=1 Ack=1 Win=5840 Len=0 0.000981 10.1.1.1 -> 10.2.2.2 SSLv2 Client Hello 0.001640 10.2.2.2 -> 10.1.1.1 TLSv1 Server Hello, Certificate, Certificate Request, Server Hello Done 0.001670 10.1.1.1 -> 10.2.2.2 TCP 51532 > 8140 [ACK] Seq=106 Ack=1358 Win=8142 Len=0 0.002009 10.1.1.1 -> 10.2.2.2 TLSv1 Alert (Level: Fatal, Description: Certificate Revoked) ---------------------------------------- Bug #4948: connecting from a client whose cert is revoked fails without indicating why http://projects.puppetlabs.com/issues/4948 Author: eric sorenson Status: Accepted Priority: Normal Assignee: Category: SSL Target version: Statler Affected version: 0.25.0 Keywords: Branch: had a confusing time tonight trying to debug some systems which were failing puppetd -tv -- the error output looked like: <pre> [r...@it11p00me-acctsvc001 /var/lib/puppet]# puppetd -tv info: Retrieving plugin err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate': certificate verify failed err: /File[/var/lib/puppet/lib]: Failed to retrieve current state of resource: certificate verify failed Could not retrieve file metadata for puppet://puppet/plugins: certificate verify failed info: Loading facts in locallinks info: Loading facts in locallinks err: Could not retrieve catalog from remote server: certificate verify failed warning: Not using cache on failed catalog err: Could not retrieve catalog; skipping run </pre> The cause was that the cert's serial number was in the CRL downloaded from the CA - probably due to a misunderstanding on my part of how exactly to issue new certificates to hosts whose private keys are lost due to re-imaging. But regardless it would be nice to emit some kind of informative error message if we find out the local certificate is in the CA's CRL. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
