Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Josh Cooper commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries puppetserver ca revoke will revoke already revoked certificates, so moving this to SERVER project. $ ./bin/puppetserver ca revoke --certname agent-66 Revoked certificate for agent-66 $ ./bin/puppetserver ca revoke --certname agent-66 Revoked certificate for agent-66 $ ./bin/puppetserver ca revoke --certname agent-66 Revoked certificate for agent-66 $ ./bin/puppetserver ca revoke --certname agent-66 Revoked certificate for agent-66 $ openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text ... Serial Number: 6B Revocation Date: Mar 29 03:44:40 2019 GMT CRL entry extensions:
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Adam Bottchen updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Adam Bottchen Labels: ca cstop10 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Maggie Dreyer Labels: ca the-goods Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Maggie Dreyer Labels: ca the-goods Add Comment This message was sent by Atlassian JIRA (v7.5.1#75006-sha1:7df2574) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Matt Dainty commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries Yes, just run into this via SERVER-115 and " doesn't always revoke what you expect" class="issue-link" data-issue-key="PUP-2569" style="color: #3b73af; text-decoration: none"> PUP-2569 and associates. I now have a 8.5 MB CRL that contains ~ 180,000 individual revocations and as many as ~ 500 duplicate revocations for specific certificate serial numbers. I've used puppet cert reinventory to clean down inventory.txt so most of the old certificate serials are forgotten. Is it possible to rebuild the CRL and de-dupe it to just contain one of each serial number as I'm continually hitting the problem documented in SERVER-115 whereby any time I perform a puppet node clean it triggers a CRL rebuild that causes issues for any other connecting client(s), the size of the CRL can't not be contributing to this so the smaller I can make it the better. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Justin Stoller updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Justin Stoller Sprint: Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Justin Stoller commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries This should be done in both Puppet Server (threaded through to jvm-ssl-utils) in addition to Puppet. Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Owen Rodabaugh CS Priority: Major CS Impact: This is causing problems with a number of very large scale customers. The way the CRL is handled is very inefficient. CS Severity: 4 - Major CS Business Value: 5 - $$ CS Frequency: 2 - 5-25% of Customers Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Moses Mendoza Sprint: Platform Core Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Moses Mendoza Labels: the-goods Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Moses Mendoza Story Points: 3 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Josh Cooper updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Josh Cooper Team: Agent Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Josh Cooper commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries Sorry, yeah this is a different issue. The puppet node clean command calls puppet cert clean which will revoke already revoked certs: [root@ma9lddhbmxqglv2 ~]# puppet cert generate foobar Notice: Signed certificate request for ca Notice: foobar has a waiting certificate request Notice: Signed certificate request for foobar Notice: Removing file Puppet::SSL::CertificateRequest foobar at '/etc/puppetlabs/puppet/ssl/ca/requests/foobar.pem' Notice: Removing file Puppet::SSL::CertificateRequest foobar at '/etc/puppetlabs/puppet/ssl/certificate_requests/foobar.pem' [root@ma9lddhbmxqglv2 ~]# puppet cert clean foobar Notice: Revoked certificate with serial 2 Notice: Removing file Puppet::SSL::Certificate foobar at '/etc/puppetlabs/puppet/ssl/ca/signed/foobar.pem'
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Erik Hansen commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries Josh Cooper Just a clarification, the duplicate entries can be produced without multiple writers though. It occurs simply by attempting to purge a certificate name that has already been revoked. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Josh Cooper commented on PUP-7744 Re: Puppet CA's CRL is prone to duplicate entries Thanks, Erik Hansen, yes this is caused because we do not write to the file atomically. So it is entirely likely for multiple writers to interleave, causing the kind of corruption described here and in PUP-2189. I'm going to close this as a dup of the earlier ticket. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Erik Hansen updated an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Change By: Erik Hansen Method Found: Needs Assessment Customer Feedback Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-7744) Puppet CA's CRL is prone to duplicate entries
Title: Message Title Erik Hansen created an issue Puppet / PUP-7744 Puppet CA's CRL is prone to duplicate entries Issue Type: Bug Assignee: Unassigned Created: 2017/06/30 9:50 AM Priority: Normal Reporter: Erik Hansen Using the 'puppet node purge' command it is possible to put duplicate revoked certificates in Puppet's CRL. For example: # puppet cert generate testcert Notice: testcert has a waiting certificate request Notice: Signed certificate request for testcert Now purge the node / certificate:
