On Apr 13, 1:40 pm, Chip Schweiss <chip.schwe...@gmail.com> wrote: > I'm in the process of scalling my puppet master to two server with a > separate CA. My plan was to establish a new CA and reissue > certificates. Part way through the process I noticed a behavior that > seems a bit alarming. > > With one of my clients pointing to the new CA and new Puppetmaster but with > the old certificate I ran a 'puppetd --test --server puppet01.mydomain' > > I was expecting it to fail validation and then regenerate the client > certificate. However it ran without error. > > Thinking maybe it's still hitting the orginal CA, I backed-up and wiped the > ssl dir on the puppetmaster and restarted the pupetmaster to generate a new > CA. The client still works. There are no signed certificates for this > client on either puppetmaster or CA now and it still runs. > > Am I missing something about how the puppetmaster decides it's okay to talk > to a client, or is all the security simply on the client side, and the > puppetmaster trusts any puppet client?
I'm about confused about what you mean by the client "pointing to the new CA" and Puppet "hitting the original CA". The CA is only involved in signing certificates. It is not actively involved in verifying certificates (though verifiers do use the CA's certificate). Admitedly, that distinction can be somewhat muddy when the Puppetmaster serves as its own CA, but it more-or-less still holds. If your client already has a valid certificate, regardless of which CA signed it, then that is the certificate it will present. If the master can verify that certificate then it will accept the client. If you want the master to reject certificates signed by the old CA, then you must configure it so that it does not trust that CA. Even better, also revoke all the certificates signed by the old CA and install the corresponding CRL in the master. John -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
