On Sun, 03 Oct 2010 11:54:45 +0200 Brice Figureau wrote: [...]
> > But when I run an "old" client, which already have ca from prod > > server (which is the same a test one), it runs with no problem: > > This is normal too. The client knows the CA, it can validate the new > master server certificate. The reverse is also true, the server can > validate the client cert because it was signed by the same CA > certificate (and it is not in the CRL). Ok, it's not in CRL. miss that. [...] thanks for the rest of explanation. > > 2.-) If I revoke (clean) a cert of a client, the cert is revoke but > > client is able to run against server: > > > > Server: > > > > # puppetca --list --all > > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > > > # puppetca --clean client.pic.es > > notice: Revoked certificate with serial 2008 > > notice: Removing file Puppet::SSL::Certificate client.pic.es at > > '/var/lib/puppet/ssl/ca/signed/client.pic.es.pem' notice: Removing > > file Puppet::SSL::Certificate client.pic.es at > > '/var/lib/puppet/ssl/certs/client.pic.es.pem' > > > > client: > > # puppetd --server ser01-test.pic.es --test > > info: Caching catalog for client.pic.es > > info: Applying configuration version '1285678851' > > notice: Finished catalog run in 0.01 seconds > > > > > > Is it a desired behaviour? if yes, how may I revoke certs so clients > > can't connect to master again? > > It shouldn't. Check your nginx/apache configuration, it should have > the necessary statements to check the crl. > For instance on my nginx master: > ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > You also need a nginx version that supports the CRL (ie >= 0.7.64) Will do, thanks for your reply, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
