Issue #11854 has been updated by Gonzalo Servat.
I am now running 2.7.10-1. Yes, the fingerprint from 'puppet cert list -a | grep host' matches the fingerprint in /var/lib/puppet/ssl/ca/signed/<host>.pem, which is the same fingerprint as on the actual host in certificate /var/lib/puppet/ssl/certs/<host>.pem. The client can connect OK to the puppet master, but 'puppet cert list -a' still shows the host as 'certificate revoked'. The steps to reproduce are: 1) Client submits cert for signing for the first time 2) Certificate is signed on server (puppet cert sign <client>) 3) Client is rebuilt so the certificate is first removed by using 'puppet cert clean <client>' 4) Client submits new certificate to puppet master and then signed 5) 'puppet cert list -a' | grep <client> shows the certificate as revoked, even though it is signed and valid. Is this the expected behaviour? ---------------------------------------- Refactor #11854: "Puppet cert list --all" output is confusing when a certificate has been cleaned and a new certificate has been signed https://projects.puppetlabs.com/issues/11854#change-54488 Author: Gonzalo Servat Status: Needs More Information Priority: Normal Assignee: Category: SSL Target version: Affected Puppet version: Keywords: Branch: When signing a certificate for a host, and subsequently cleaning it, if you then sign a new certificate for the same host, the output of "puppet cert list --all" will be: - [host] ([fingerprint]) (certificate revoked) So, according to this listing, the host appears to have its certificate revoked when, in fact, it's the OLD certificate that was revoked. It would be good to rework the output so that it shows something similar to: - [host] ([fingerprint]) (certificate revoked) - [host] ([fingerprint]) (certificate revoked) ... - [host] ([fingerprint]) (certificate revoked) + [host] ([fingerprint]) That way you can see all revoked certificates and the current signed certificate for the host. I can see that the listing could potentially get very long, so perhaps maybe just show the last revoked certificate? Your thoughts? -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
