Issue #8278 has been updated by Ben Hughes.
What happens when you try revoking the FQDN referenced by serial 0x01? ---------------------------------------- Feature #8278: Puppet cert should safeguard itself when revoking. https://projects.puppetlabs.com/issues/8278 Author: Ben Hughes Status: Needs More Information Priority: Normal Assignee: Ben Hughes Category: Target version: Affected Puppet version: Keywords: SSL Branch: # Overview # With puppet cert you're able to revoke certificate 0x0001, which in pretty much all cases will be CA itself. puppet cert --clean/--revoke should present an error or a warning and require additional confirmation before doing this. # Expected Behaviour # Prompting or "--force-me-to-do-something-bad" option. <pre> puppetmaster# puppet cert --clean ca.puppetlabs.test This will remove cert 0x0001 and possible invalidate your CA, are you sure? </pre> # Actual Behaviour # <pre> puppetmaster# openssl crl -text -in /var/lib/puppet/ssl/ca/ca_crl.pem Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha1WithRSAEncryption Issuer: /CN=ca.puppetlabs.test Last Update: Jun 24 17:58:26 2011 GMT Next Update: Jun 22 17:58:26 2016 GMT CRL extensions: X509v3 CRL Number: 24 Revoked Certificates: Serial Number: 01 Revocation Date: Jun 14 23:35:06 2011 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise </pre> # Detail # This can happen if inventory.txt rolls over too. So we'd need to check the serial numbers of the hostnames/CNs that the user specifies. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
