[Puppet - Bug #17864] puppet client requests /production/certificate_revocation_list/ca even with certificate_revocation=false

[tickets]

Issue #17864 has been updated by Dustin Mitchell.


The following patch against 3.0.2 fixes this for me:

    diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
    index 2242873..d8d8b30 100644
    --- a/lib/puppet/ssl/host.rb
    +++ b/lib/puppet/ssl/host.rb
    @@ -258,9 +258,11 @@ ERROR_STRING
        @ssl_store.add_file(Puppet[:localcacert])

        # If there's a CRL, add it to our store.
    -      if crl = 
Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
    -        @ssl_store.flags = 
OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if 
Puppet.settings[:certificate_revocation]
    -        @ssl_store.add_crl(crl.content)
    +      if Puppet.settings[:certificate_revocation]
    +        if crl = 
Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
    +          @ssl_store.flags = 
OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
    +          @ssl_store.add_crl(crl.content)
    +        end
        end
        return @ssl_store
        end

I'll make a pull request if it will be accepted..
----------------------------------------
Bug #17864: puppet client requests /production/certificate_revocation_list/ca 
even with certificate_revocation=false
https://projects.puppetlabs.com/issues/17864#change-80026

Author: Dustin Mitchell
Status: Unreviewed
Priority: Normal
Assignee: 
Category: 
Target version: 
Affected Puppet version: 3.0.2
Keywords: 
Branch: 


>From puppet.conf:

    [agent]
    classfile = $vardir/classes.txt
    localconfig = $vardir/localconfig
    server = puppet
    # don't check the master's CRL; see
    #   https://projects.puppetlabs.com/issues/14550
    # for why this doesn't work with chained certs
    certificate_revocation = false

yet, in the Apache logs,

    10.12.130.18 - - [29/Nov/2012:13:15:02 -0800] "GET 
/production/certificate_revocation_list/ca? HTTP/1.1" 404 45 "-" "-"

which was harmless enough until #4680 landed; now this request causes a failure.

The client is 2.7.17, because 2.7.18 and up suffer from #15561, overly-board 
certificate name rejections.  So this *may* have been fixed in newer clients.


-- 
You have received this notification because you have either subscribed to it, 
or are involved in it.
To change your notification preferences, please click here: 
http://projects.puppetlabs.com/my/account

-- 
You received this message because you are subscribed to the Google Groups 
"Puppet Bugs" group.
To post to this group, send email to puppet-bugs@googlegroups.com.
To unsubscribe from this group, send email to 
puppet-bugs+unsubscr...@googlegroups.com.
For more options, visit this group at 
http://groups.google.com/group/puppet-bugs?hl=en.