On 02/19/2011 03:43 AM, Eric Sorenson wrote: > > On Feb 18, 2011, at 5:46 PM, Jeff McCune wrote: >> >> Thanks for the follow up Eric, please let us know if you figure this >> out. I suspect I'm going to run into this as well and may have >> working with someone in training yesterday. > > I believe it's is related to changing the name of the issuer for the CA, from > here: > > http://www.mail-archive.com/[email protected]/msg09176.html > > When I have an empty CRL, the clients work fine. The crl looks like: > > # openssl crl -noout -in ca_crl.pem -text > Certificate Revocation List (CRL): > Version 2 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: /CN=ca > Last Update: Feb 19 01:46:28 2011 GMT > Next Update: Feb 18 01:46:28 2016 GMT > CRL extensions: > X509v3 CRL Number: > 0 > No Revoked Certificates. > > and it passes validation: > # openssl crl -noout -CAfile ./ca_crt.pem -in ca_crl.pem -issuer > verify OK > issuer=/CN=ca > > > As soon as I --clean a client, the CRL gets rewritten and starts failing: > # openssl crl -noout -in ca_crl_fatal.pem -text > Certificate Revocation List (CRL): > Version 2 (0x1) > Signature Algorithm: sha1WithRSAEncryption > Issuer: /CN=Puppet CA: puppetmaster001 > Last Update: Feb 19 01:21:00 2011 GMT > Next Update: Feb 18 01:21:00 2016 GMT > CRL extensions: > X509v3 CRL Number: > 7 > [some revoked certs here] > # openssl crl -noout -CAfile ./ca_crt.pem -in ca_crl_fatal.pem -text > Error getting CRL issuer certificate > > Could it be that the issuer name change is causing the ssl client libraries > to fail to match up the CRL with the issuing CA?
Definitely. This CRL is not related to your CA cert in any way. It's probably a bug that the CRL is created this way. Can you find a CA cert with the Subject CN as in the Issuer field above anywhere on your system? Regards, Felix -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
