On 28/09/10 15:26, Arnau Bria wrote: > Hi all, > > I've a second puppet server (test) where I copied ONLY ca* from prod > server. This server is running 2.6.1 + mongrel with SSLVerifyClient > optional. > > I have 2 strange behaviours which I'd like to comment with some expert > user. > > 1.-) > I'm running new clients against this "new" server, they request > the sign, and then I can sign the client from master: > [snipped] > that's fine.
That's normal behaviour. > But when I run an "old" client, which already have ca from prod server > (which is the same a test one), it runs with no problem: This is normal too. The client knows the CA, it can validate the new master server certificate. The reverse is also true, the server can validate the client cert because it was signed by the same CA certificate (and it is not in the CRL). > Old-client# puppetd --server ser01-test.pic.es --test > info: Caching catalog at /var/lib/puppet/localconfig.yaml > notice: Starting catalog run > notice: Finished catalog run in 0.29 seconds > > And I can't see it at server side: > # puppetca --list --all > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > *notice old-client is not listed. This is also normal. The client certificates *don't* need to be listed to be validated and the communication to be secure. The client cert is "cached" on the master when signing it, but it hasn't to be. > So, seems that old clients are attached to test server and cert > security is not considered. It is considered and security is enforced even when the certificate is not present on the master. > I can clean its cert, but nothing happens: > > # puppetca --clean oldclient.pic.es > notice: Revoked certificate with serial 1781 Your certificate for oldclient is now revoked on *the test master*. It isn't revoked on your production master. > 2.-) If I revoke (clean) a cert of a client, the cert is revoke but > client is able to run against server: > > Server: > > # puppetca --list --all > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > # puppetca --clean client.pic.es > notice: Revoked certificate with serial 2008 > notice: Removing file Puppet::SSL::Certificate client.pic.es at > '/var/lib/puppet/ssl/ca/signed/client.pic.es.pem' > notice: Removing file Puppet::SSL::Certificate client.pic.es at > '/var/lib/puppet/ssl/certs/client.pic.es.pem' > > client: > # puppetd --server ser01-test.pic.es --test > info: Caching catalog for client.pic.es > info: Applying configuration version '1285678851' > notice: Finished catalog run in 0.01 seconds > > > Is it a desired behaviour? if yes, how may I revoke certs so clients > can't connect to master again? It shouldn't. Check your nginx/apache configuration, it should have the necessary statements to check the crl. For instance on my nginx master: ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; You also need a nginx version that supports the CRL (ie >= 0.7.64) -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
