Issue #18173 has been reported by Ken Johnson.
----------------------------------------
Feature #18173: Puppet master fails to start when CA CRL is absent &
inconsistent behavior with regards to missing CA CRL
https://projects.puppetlabs.com/issues/18173
Author: Ken Johnson
Status: Unreviewed
Priority: Normal
Assignee:
Category: SSL
Target version:
Affected Puppet version: 2.7.19
Keywords:
Branch:
So, if the ca_crl.pem file is absent on a Puppet master, it will freak out and
die when you try to start the service, with an error like this:
<pre>
root@pm1:/etc/puppetlabs/puppet/ssl/ca# /etc/init.d/pe-httpd start
* Starting web server pe-httpd
Syntax error on line 11 of
/etc/puppetlabs/httpd/conf.d/puppetmaster.conf:
SSLCARevocationFile: file '/etc/puppetlabs/puppet/ssl/ca/ca_crl.pem' does not
exist or is empty
Action 'start' failed.
The Apache error log may have more information.
[fail]
</pre>
>From what I can tell, there's not an exposed, easy way of regenerating the CRL
>specifically. You can, however, generate and immediately clean a cert, and
>Puppet will cheerfully regenerate its CRL in the process of doing so if it is
>absent. It does this completely silently, as well. Example:
<pre>
root@pm1:/etc/puppetlabs/puppet/ssl/ca# ls
ca_crl.pem.bak ca_key.pem gencrl.rb private serial
ca_crt.pem ca_pub.pem inventory.txt requests signed
root@pm1:/etc/puppetlabs/puppet/ssl/ca# puppet cert generate test
notice: test has a waiting certificate request
notice: Signed certificate request for test
notice: Removing file Puppet::SSL::CertificateRequest test at
'/etc/puppetlabs/puppet/ssl/ca/requests/test.pem'
notice: Removing file Puppet::SSL::CertificateRequest test at
'/etc/puppetlabs/puppet/ssl/certificate_requests/test.pem'
root@pm1:/etc/puppetlabs/puppet/ssl/ca# puppet cert clean test
notice: Revoked certificate with serial 10
notice: Removing file Puppet::SSL::Certificate test at
'/etc/puppetlabs/puppet/ssl/ca/signed/test.pem'
notice: Removing file Puppet::SSL::Certificate test at
'/etc/puppetlabs/puppet/ssl/certs/test.pem'
notice: Removing file Puppet::SSL::Key test at
'/etc/puppetlabs/puppet/ssl/private_keys/test.pem'
root@pm1:/etc/puppetlabs/puppet/ssl/ca# ls
ca_crl.pem ca_crt.pem ca_pub.pem inventory.txt requests signed
ca_crl.pem.bak ca_key.pem gencrl.rb private serial
</pre>
I think this behavior could be improved. Possibly have the master regenerate
its CRL if it is lacking at startup time (to be consistent with other commands
which will happily do so without prompting or any notification of this action
being taken). Or remove automagic silent CRL regeneration from the cert
management commands, if this is something that's actually
unintended/inadvisable.
Adding CRL management to the puppet ca face would no doubt be helpful
regardless of action taken on the other pieces.
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To post to this group, send email to [email protected].
To unsubscribe from this group, send email to
[email protected].
For more options, visit this group at
http://groups.google.com/group/puppet-bugs?hl=en.
