Issue #22116 has been updated by Peter Meier.
Afair this is a bug in apache as it does not reread the crl without a reload. And as the puppetmaster delegates all ssl stuff to apache when running as a passenger there is little it can do. We defined service httpd reload as a necessery step when decommissioning a host. I think there is even a very old apache bug report about this issue. ---------------------------------------- Bug #22116: certificate clean or revoke does not work with passenger https://projects.puppetlabs.com/issues/22116#change-96729 * Author: Sami Kerola * Status: Unreviewed * Priority: Normal * Assignee: * Category: passenger * Target version: * Affected Puppet version: 3.2.2 * Keywords: certificate clean passenger apache httpd rhel6 redhat * Branch: ---------------------------------------- First I tried to clean certificate. master ~ # puppet cert --clean client.example.com Notice: Revoked certificate with serial 3 master ~ # puppet -V 3.2.2 When looking $ssldir/ca/signed/ directory contents the the client.example.com.pem file is gone. Unfortunately the client will allow running puppet. client # puppet agent -t Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/defaultgw.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Caching catalog for client.example.com Info: Applying configuration version '1375961031' Notice: Finished catalog run in 5.23 seconds client # puppet -V 3.2.2 My assumption is that the passanger has client certificate in cache. The reason this assumption makes sense is that after Apache is restarted the certificate will stop working. Related Apache configuration is following. <VirtualHost *:8140> ServerName master.example.com DocumentRoot /opt/apache/master.example.com/html <Directory /opt/apache/master.example.com/html> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> CustomLog /opt/apache/master.example.com/logs/master.example.com_access.log common2 ErrorLog /opt/apache/master.example.com/logs/master.example.com_error.log LogLevel debug ServerSignature Off SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/master.example.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master.example.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy #RequestHeader unset X-Forwarded-For # The following client headers allow the same configuration to work # with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/public/ RackBaseURI / <Directory /etc/puppet/rack/public/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> As far I can tell there is nothing extra special about this passanger set up. # rpm -q httpd httpd-2.2.15-15.el6_2.1.x86_64 # rpm -qa | grep ssl openssl098e-0.9.8e-17.el6_2.2.x86_64 mod_ssl-2.2.15-15.el6_2.1.x86_64 openssl-1.0.0-20.el6_2.5.x86_64 # rpm -qa | grep passenger mod_passenger-3.0.17-2.el6.1.x86_64 rubygem-passenger-3.0.17-2.el6.1.x86_64 rubygem-passenger-native-3.0.17-2.el6.1.x86_64 rubygem-passenger-native-libs-3.0.17-2.el6.1.x86_64 # rpm -q ruby ruby-1.8.7.352-7.el6_2.x86_64 # gem list *** LOCAL GEMS *** fastthread (1.0.7) json (1.5.5) rack (1.3.0) rake (0.8.7) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
