Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Steve Barlow updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Steve Barlow Flagged: Impediment Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Britt Gresham assigned an issue to Britt Gresham Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Britt Gresham Assignee: BrittGresham Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Eric Thompson assigned an issue to Eric Thompson Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Eric Thompson Assignee: EricThompson Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Eric Thompson assigned an issue to Unassigned Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Eric Thompson Assignee: EricThompson Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Josh Cooper assigned an issue to Adrien Thebo Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Josh Cooper Assignee: AdrienThebo Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Adrien Thebo commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) Merged in 20cf917. Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Andy Parker updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Andy Parker Flagged: Impediment Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Andy Parker assigned an issue to Josh Cooper Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Andy Parker Assignee: JoshCooper Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Andy Parker updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Andy Parker Fix Version/s: future Fix Version/s: 3.7.1 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Andy Parker updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Andy Parker Sprint: 2014-09-17 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Josh Cooper commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) This is fairly easy to reproduce. Setup an agent and master on different hosts. Ensure the master's time isahead of the agent's. To be sure the bug is triggered, set it to 1 hour in the future. Generate and revoke a cert on the master, this will ensure the CRL's last_time field will be updated to a time that is ahead of the agent: # puppet cert generate foobar ... Notice: foobar has a waiting certificate request Notice: Signed certificate request for foobar Notice: Removing file Puppet::SSL::CertificateRequest foobar at '/var/lib/puppet/ssl/ca/requests/foobar.pem' Notice: Removing file Puppet::SSL::CertificateRequest foobar at '/var/lib/puppet/ssl/certificate_requests/foobar.pem' root@puppetmaster:/# puppet cert revoke foobar ... Notice: Revoked certificate with serial 11 Delete the agent's SSL directory and start the agent: $ rm -rf ~/.puppet/ssl/ $ bundle exec puppet agent -t Info: Creating a new SSL key for XXX Info: Caching certificate for ca ... Info: Creating a new SSL certificate request for XXX Info: Certificate Request fingerprint (SHA256): 6A:19:C9:46:D2:03:9E:DE:C2:51:D8:49:8D:10:69:28:F0:8E:AC:D9:7F:A6:56:BF:43:F1:3A:07:61:76:94:4F Info: Caching certificate for ca Exiting; no certificate found and waitforcert is disabled On the master, sign the cert: # puppet cert sign --all ... Notice: Signed certificate request for XXX Notice: Removing file Puppet::SSL::CertificateRequest XXX at '/var/lib/puppet/ssl/ca/requests/XXX.pem' Run the agent, notice it downloads the CRL, and uses it for subsequent SSL connections, and generates the not yet valid error: $ bundle exec puppet agent -t Info: Caching certificate for XXX Info: Caching certificate_revocation_list for ca Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=XXX] Add Comment
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Branan Purvine-Riley commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) This hit acceptance testing again last night: https://jenkins.puppetlabs.com/job/Puppet-Package-Acceptance-stable/label=acc-coord,platform=squeeze/514/ Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options,
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Josh Cooper commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) Acceptance failure https://jenkins.puppetlabs.com/job/Puppet-Package-Acceptance-Per-Commit-master/698/label=acc-coord,platform=rhel6/console Error: Could not request certificate: SSL_connect returned=1 errno=0 state=SSLv3 read server certificate B: certificate verify failed: [CRL is not yet valid for /CN=efp9ev0z2mc2mv5.delivery.puppetlabs.net] Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Kylo Ginsberg Fix Version/s: future Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Joshua Cooper commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) Another way to do this is leverage the ssl verify callback method, and implement whatever verification policy we want, e.g. ignore CRL and CERT not yet valid errors, provided the time is within X seconds. So something like: def call(preverify_ok, store_context) if ! preverify_ok case store_context.error when X509_V_ERR_CERT_NOT_YET_VALID current_cert = store_context.current_cert if current_cert.not_before + Puppet[:cert_not_before_skew] = Time.now preverify_ok = true end when X509_V_ERR_CRL_NOT_YET_VALID current_crl = store_context.current_crl if current_crl.last_update + Puppet[:crl_last_update_skew] = Time.now preverify_ok = true end end end preverify_ok end Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo...
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Michelle Johansen commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) Kylo Ginsberg Is this a requirement for 3.5.0? Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Kylo Ginsberg updated an issue Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Change By: Kylo Ginsberg Fix Version/s: 3.5.0 Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
Jira (PUP-894) Too easy to hit CRL not yet valid for host (and not very informative)
Title: Message Title Kylo Ginsberg commented on an issue Re: Too easy to hit CRL not yet valid for host (and not very informative) No. This is merely a nice-to-have. I'll remove the Fix Version field and let it drop into the backlog. Add Comment Puppet / PUP-894 Too easy to hit CRL not yet valid for host (and not very informative) Currently we set the CRL time range to start at 1 second in the past: https://github.com/puppetlabs/puppet/blob/a8311df5438601a3394d38e37f671626969d50db/lib/puppet/ssl/certificate_revocation_list.rb#L85 However, this creates a window where an agent with a small amount of clock skew can hit the `CRL not yet valid for host` message. This affects bo... This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
