Hi all, I've a second puppet server (test) where I copied ONLY ca* from prod server. This server is running 2.6.1 + mongrel with SSLVerifyClient optional.
I have 2 strange behaviours which I'd like to comment with some expert user. 1.-) I'm running new clients against this "new" server, they request the sign, and then I can sign the client from master: Client# puppetd --server ser01-test.pic.es --test info: Creating a new SSL key for tditaller013.pic.es warning: peer certificate won't be verified in this SSL session info: Caching certificate for ca warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session info: Creating a new SSL certificate request for client.pic.es info: Certificate Request fingerprint (md5): 6E:F9:CC:81:72:F1:E8:51:CE:BD:97:67:19:9B:6C:22 warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session warning: peer certificate won't be verified in this SSL session Exiting; no certificate found and waitforcert is disabled server# puppetca --list client.pic.es # puppetca --sign client.pic.es notice: Signed certificate request for client.pic.es notice: Removing file Puppet::SSL::CertificateRequest client.pic.es at '/var/lib/puppet/ssl/ca/requests/client.pic.es.pem' that's fine. But when I run an "old" client, which already have ca from prod server (which is the same a test one), it runs with no problem: Old-client# puppetd --server ser01-test.pic.es --test info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run notice: Finished catalog run in 0.29 seconds And I can't see it at server side: # puppetca --list --all + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) *notice old-client is not listed. So, seems that old clients are attached to test server and cert security is not considered. I can clean its cert, but nothing happens: # puppetca --clean oldclient.pic.es notice: Revoked certificate with serial 1781 2.-) If I revoke (clean) a cert of a client, the cert is revoke but client is able to run against server: Server: # puppetca --list --all + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) # puppetca --clean client.pic.es notice: Revoked certificate with serial 2008 notice: Removing file Puppet::SSL::Certificate client.pic.es at '/var/lib/puppet/ssl/ca/signed/client.pic.es.pem' notice: Removing file Puppet::SSL::Certificate client.pic.es at '/var/lib/puppet/ssl/certs/client.pic.es.pem' client: # puppetd --server ser01-test.pic.es --test info: Caching catalog for client.pic.es info: Applying configuration version '1285678851' notice: Finished catalog run in 0.01 seconds Is it a desired behaviour? if yes, how may I revoke certs so clients can't connect to master again? TIA, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
