The CRL tends to only be read at startup by the web server. So restart and it should work - if non puppetserver you should have configured it correctly though
--- R.I.Pienaar > On 16 Jun 2016, at 05:38, Dan Mahoney <[email protected]> wrote: > > Hey all, > > This terrifies me. > > As part of my certificate roll, I did, on my master: > > root@pm:~ # puppet cert clean somehost.foo.org > Notice: Revoked certificate with serial 43 > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/ca/signed/somehost.foo.org.pem' > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/certs/somehost.foo.org.pem' > > If I run it again, it re-revokes the cert, but of course there's nothing to > delete. Doing puppet ca revoke somehost.foo.org also redoes the revocation. > > However the agent happily continues to download catalogs. (Or more > accurately, the master continues to hand them out). > > I've verified that the cert is listed as revoked in *both* the host CRL as > well as the CA CRL, using the following: > > openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem > > (where it's listed as 2B, because it's in hex, but the revoke date is right). > > It's also in the host ca on the puppetmaster -- so the two places there's a > CA, it's listed with the right date. There's only one place each of these > files can be pointed to in puppet.conf, so it's not possible that I've set it > to be written, but not actually used, is it? > > -Dan > > -- > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6B30B7FE-23EE-482E-8331-6A09F4E39FE9%40devco.net. For more options, visit https://groups.google.com/d/optout.
