Issue #22116 has been updated by Nigel Kersten. Description updated
---------------------------------------- Bug #22116: certificate clean or revoke does not work with passenger https://projects.puppetlabs.com/issues/22116#change-98341 * Author: Sami Kerola * Status: Unreviewed * Priority: Normal * Assignee: * Category: passenger * Target version: * Affected Puppet version: 3.2.2 * Keywords: certificate clean passenger apache httpd rhel6 redhat * Branch: ---------------------------------------- First I tried to clean certificate. <pre> master ~ # puppet cert --clean client.example.com Notice: Revoked certificate with serial 3 master ~ # puppet -V 3.2.2 </pre> When looking $ssldir/ca/signed/ directory contents the the client.example.com.pem file is gone. Unfortunately the client will allow running puppet. <pre> client # puppet agent -t Info: Retrieving plugin Info: Loading facts in /var/lib/puppet/lib/facter/defaultgw.rb Info: Loading facts in /var/lib/puppet/lib/facter/concat_basedir.rb Info: Loading facts in /var/lib/puppet/lib/facter/facter_dot_d.rb Info: Loading facts in /var/lib/puppet/lib/facter/root_home.rb Info: Caching catalog for client.example.com Info: Applying configuration version '1375961031' Notice: Finished catalog run in 5.23 seconds client # puppet -V 3.2.2 </pre> My assumption is that the passanger has client certificate in cache. The reason this assumption makes sense is that after Apache is restarted the certificate will stop working. Related Apache configuration is following. <pre> <VirtualHost *:8140> ServerName master.example.com DocumentRoot /opt/apache/master.example.com/html <Directory /opt/apache/master.example.com/html> Options Indexes FollowSymLinks MultiViews AllowOverride None Order allow,deny allow from all </Directory> CustomLog /opt/apache/master.example.com/logs/master.example.com_access.log common2 ErrorLog /opt/apache/master.example.com/logs/master.example.com_error.log LogLevel debug ServerSignature Off SSLEngine on SSLProtocol -ALL +SSLv3 +TLSv1 SSLCipherSuite ALL:!ADH:RC4+RSA:+HIGH:+MEDIUM:-LOW:-SSLv2:-EXP SSLCertificateFile /var/lib/puppet/ssl/certs/master.example.com.pem SSLCertificateKeyFile /var/lib/puppet/ssl/private_keys/master.example.com.pem SSLCertificateChainFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCACertificateFile /var/lib/puppet/ssl/ca/ca_crt.pem SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem SSLVerifyClient optional SSLVerifyDepth 1 SSLOptions +StdEnvVars +ExportCertData # This header needs to be set if using a loadbalancer or proxy #RequestHeader unset X-Forwarded-For # The following client headers allow the same configuration to work # with Pound. RequestHeader set X-SSL-Subject %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-DN %{SSL_CLIENT_S_DN}e RequestHeader set X-Client-Verify %{SSL_CLIENT_VERIFY}e DocumentRoot /etc/puppet/rack/public/ RackBaseURI / <Directory /etc/puppet/rack/public/> Options None AllowOverride None Order allow,deny allow from all </Directory> </VirtualHost> </pre> As far I can tell there is nothing extra special about this passanger set up. <pre> # rpm -q httpd httpd-2.2.15-15.el6_2.1.x86_64 # rpm -qa | grep ssl openssl098e-0.9.8e-17.el6_2.2.x86_64 mod_ssl-2.2.15-15.el6_2.1.x86_64 openssl-1.0.0-20.el6_2.5.x86_64 # rpm -qa | grep passenger mod_passenger-3.0.17-2.el6.1.x86_64 rubygem-passenger-3.0.17-2.el6.1.x86_64 rubygem-passenger-native-3.0.17-2.el6.1.x86_64 rubygem-passenger-native-libs-3.0.17-2.el6.1.x86_64 # rpm -q ruby ruby-1.8.7.352-7.el6_2.x86_64 # gem list *** LOCAL GEMS *** fastthread (1.0.7) json (1.5.5) rack (1.3.0) rake (0.8.7) </pre> -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
