[Puppet Users] Re: Why does my Puppet Master randomly revoke my Agent's certificate?
Note too that the certificate revocation list only contains serial numbers. So it could be that you are getting duplicate serial numbers issued, and the number matches one that was cleaned/revoked at some point in the past, so the CRL contains its number. More in my ssl troubleshooting guide on ask: http://ask.puppetlabs.com/question/25/how-can-i-troubleshoot-problems-with-puppets-ssl-layer/ On Tuesday, September 2, 2014 6:51:22 PM UTC-7, Jason Oakley wrote: Thanks. I'll look at that, but the only thing running on my Master server is Puppet Master. My Agent server only has Minecraft, PHP, MySQL, WordPress.. nothing using certificates at all. On Wednesday, 3 September 2014 00:55:20 UTC+10, jcbollinger wrote: On Monday, September 1, 2014 5:57:58 PM UTC-5, Jason Oakley wrote: My servers were working fine, when I got this error: Inventory Could not retrieve facts from inventory service: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Now, everything was working fine. Due to this error, I re-created the certificate and all was well. Then, I logged onto the Master a day or two later and the certificate is yet again revoked. How do I stop this? Puppet does not perform automatic certificate revokations. I have personally crawled the code to check. IIRC, the last time we had a question like this one, the user eventually discovered a separate automated process in his environment that was revoking certain certificates. If you have any kind of automated process around issuing certs, then that's the first place I would look. You could also consider making your ssl/ directory and everything in it read-only (immutable, if necessary), to try to identify the rogue behavior by forcing it to error out. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/4526c9c2-a3c0-4032-87fb-1f36aff7633e%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Why does my Puppet Master randomly revoke my Agent's certificate?
On Monday, September 1, 2014 5:57:58 PM UTC-5, Jason Oakley wrote: My servers were working fine, when I got this error: Inventory Could not retrieve facts from inventory service: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Now, everything was working fine. Due to this error, I re-created the certificate and all was well. Then, I logged onto the Master a day or two later and the certificate is yet again revoked. How do I stop this? Puppet does not perform automatic certificate revokations. I have personally crawled the code to check. IIRC, the last time we had a question like this one, the user eventually discovered a separate automated process in his environment that was revoking certain certificates. If you have any kind of automated process around issuing certs, then that's the first place I would look. You could also consider making your ssl/ directory and everything in it read-only (immutable, if necessary), to try to identify the rogue behavior by forcing it to error out. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/f6c5cc3b-0a38-4358-a48f-9e06aec13623%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
[Puppet Users] Re: Why does my Puppet Master randomly revoke my Agent's certificate?
Thanks. I'll look at that, but the only thing running on my Master server is Puppet Master. My Agent server only has Minecraft, PHP, MySQL, WordPress.. nothing using certificates at all. On Wednesday, 3 September 2014 00:55:20 UTC+10, jcbollinger wrote: On Monday, September 1, 2014 5:57:58 PM UTC-5, Jason Oakley wrote: My servers were working fine, when I got this error: Inventory Could not retrieve facts from inventory service: SSL_connect returned=1 errno=0 state=SSLv3 read server session ticket A: sslv3 alert certificate revoked Now, everything was working fine. Due to this error, I re-created the certificate and all was well. Then, I logged onto the Master a day or two later and the certificate is yet again revoked. How do I stop this? Puppet does not perform automatic certificate revokations. I have personally crawled the code to check. IIRC, the last time we had a question like this one, the user eventually discovered a separate automated process in his environment that was revoking certain certificates. If you have any kind of automated process around issuing certs, then that's the first place I would look. You could also consider making your ssl/ directory and everything in it read-only (immutable, if necessary), to try to identify the rogue behavior by forcing it to error out. John -- You received this message because you are subscribed to the Google Groups Puppet Users group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/0f75ac27-b64b-445c-8e07-d43499d5f8f7%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.