Issue #8125 has been updated by Nigel Kersten. Status changed from Needs Decision to Accepted Assignee deleted (Nigel Kersten) Priority changed from Normal to High Target version set to 2.7.x
---------------------------------------- Bug #8125: puppetca finds wrong crl source file https://projects.puppetlabs.com/issues/8125 Author: Michael Komitee Status: Accepted Priority: High Assignee: Category: SSL Target version: 2.7.x Affected Puppet version: 2.6.5 Keywords: puppetca crl CRL Branch: It appears that puppetca, when revoking a certificate, defaults to the crl file as defined in the :hostcrl configuration parameter instead of the :cacrl configuration parameter, but only when reading the crl file into memory. When writing it, it writes it to the location as specified in :cacrl. The end result is that it reads $ssldir/crl.pem into memory, revokes the given serial in memory, and then writes the results to $cadir/ca_crl.pem. If you have a fan-out strategy for puppetmasters, where host1 is the puppetmaster for host2, and host2 is the puppetmaster for host3, and you revoke a certificate in the puppetca running on host2, host3 will end up with a crl with an issuer of host1, which will cause openssl errors when host3 tries to connect to host1. It appears that in one of the various layers of indirection, we end up with a Puppet::SSL::CertificateRevocationList::File instead of a Puppet::SSL::CertificateRevocationList::Ca. We've worked around this by setting hostcrl to $cadir/ca_crl.pem in the [master] section of host2's puppet.conf. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
