What would happen if I chattr +i ca_crl.pem to prevent it being updated?
Certificate revocation is something that should be manually controlled
anyway.
Suppose that the Puppet error message is wrong (or at least misleading) and
the problem is not revocation. If the crl.pem file is immutable and this
error really happened then I would know that it really isn't a revocation,
right? And if I ever do want to revoke a cert all I have to do is chattr -i
Would this break anything else in Puppet?
However looking at it now, I can see that the ca_crl.pem was in fact
updated on the day I had problems with the puppetdb servers certificate
being 'revoked' so perhaps there is something revoking certs? Or is this
just coincidence?
Here we go:
openssl crl -in ca_crl.pem -text shows a bunch of revocations and
Serial Number: 0C
Revocation Date: Mar 17 18:15:36 2014 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
why would some automated system think the key was compromised and revoke it
without any human intervention?
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/c349e224-679e-49ea-aa77-ce1c2ecd2af2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
