On Wed, Jun 15, 2016 at 8:38 PM, Dan Mahoney <[email protected]> wrote:
> root@pm:~ # puppet cert clean somehost.foo.org > Notice: Revoked certificate with serial 43 > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/ca/signed/somehost.foo.org.pem' > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/certs/somehost.foo.org.pem' > > If I run it again, it re-revokes the cert, but of course there's nothing > to delete. Doing puppet ca revoke somehost.foo.org also redoes the > revocation. > > However the agent happily continues to download catalogs. (Or more > accurately, the master continues to hand them out). > > I've verified that the cert is listed as revoked in *both* the host CRL as > well as the CA CRL, using the following: > > openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem > > (where it's listed as 2B, because it's in hex, but the revoke date is > right). > > It's also in the host ca on the puppetmaster -- so the two places there's > a CA, it's listed with the right date. There's only one place each of > these files can be pointed to in puppet.conf, so it's not possible that > I've set it to be written, but not actually used, is it? > The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can SIGHUP it to force the reload without having to incur the overhead of a full server restart ( https://docs.puppet.com/puppetserver/latest/restarting.html). -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADJx5NmAt1SfkrkaO2EmmCN5-2%3DPDSAd76cXAr_TqPCA%3DJ0%3DaA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
