Issue #22116 has been reported by Sami Kerola.
----------------------------------------
Bug #22116: certificate clean or revoke does not work with passenger
https://projects.puppetlabs.com/issues/22116
* Author: Sami Kerola
* Status: Unreviewed
* Priority: Normal
* Assignee:
* Category: passenger
* Target version:
* Affected Puppet version: 3.2.2
* Keywords: certificate clean passenger apache httpd rhel6 redhat
* Branch:
----------------------------------------
First I tried to clean certificate.
master ~ # puppet cert --clean client.example.com
Notice: Revoked certificate with serial 3
master ~ # puppet -V
3.2.2
When looking $ssldir/ca/signed/ directory contents the
the client.example.com.pem file is gone.
Unfortunately the client will allow running puppet.
client # puppet agent -t
Info: Retrieving plugin
Info: Loading facts in /var/lib/puppet/lib/facter/defaultgw.rb
Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb
Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb
Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb
Info: Caching catalog for client.example.com
Info: Applying configuration version '1375961031'
Notice: Finished catalog run in 5.23 seconds
client # puppet -V
3.2.2
My assumption is that the passanger has client certificate in cache.
The reason this assumption makes sense is that after Apache is
restarted the certificate will stop working.
Related Apache configuration is following.
<VirtualHost *:8140>
ServerName master.example.com
DocumentRoot /opt/apache/master.example.com/html
<Directory /opt/apache/master.example.com/html>
Options Indexes FollowSymLinks MultiViews
AllowOverride None
Order allow,deny
allow from all
</Directory>
CustomLog /opt/apache/master.example.com/logs/master.example.com_access.log
common2
ErrorLog /opt/apache/master.example.com/logs/master.example.com_error.log
LogLevel debug
ServerSignature Off
SSLEngine on
SSLProtocol -ALL +SSLv3 +TLSv1
SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP
SSLCertificateFile /var/lib/puppet/ssl/certs/master.example.com.pem
SSLCertificateKeyFile
/var/lib/puppet/ssl/private_keys/master.example.com.pem
SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem
SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem
SSLVerifyClient optional
SSLVerifyDepth 1
SSLOptions +StdEnvVars +ExportCertData
# This header needs to be set if using a loadbalancer or proxy
#RequestHeader unset X-Forwarded-For
# The following client headers allow the same configuration to work
# with Pound.
RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e
RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e
DocumentRoot /etc/puppet/rack/public/
RackBaseURI /
<Directory /etc/puppet/rack/public/>
Options None
AllowOverride None
Order allow,deny
allow from all
</Directory>
</VirtualHost>
As far I can tell there is nothing extra special about this passanger
set up.
# rpm -q httpd
httpd-2.2.15-15.el6_2.1.x86_64
# rpm -qa | grep ssl
openssl098e-0.9.8e-17.el6_2.2.x86_64
mod_ssl-2.2.15-15.el6_2.1.x86_64
openssl-1.0.0-20.el6_2.5.x86_64
# rpm -qa | grep passenger
mod_passenger-3.0.17-2.el6.1.x86_64
rubygem-passenger-3.0.17-2.el6.1.x86_64
rubygem-passenger-native-3.0.17-2.el6.1.x86_64
rubygem-passenger-native-libs-3.0.17-2.el6.1.x86_64
# rpm -q ruby
ruby-1.8.7.352-7.el6_2.x86_64
# gem list
*** LOCAL GEMS ***
fastthread (1.0.7)
json (1.5.5)
rack (1.3.0)
rake (0.8.7)
--
You have received this notification because you have either subscribed to it,
or are involved in it.
To change your notification preferences, please click here:
http://projects.puppetlabs.com/my/account
--
You received this message because you are subscribed to the Google Groups
"Puppet Bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
Visit this group at http://groups.google.com/group/puppet-bugs.
For more options, visit https://groups.google.com/groups/opt_out.
