Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Maggie Dreyer updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Maggie Dreyer Fix Version/s: PUP 6.0.0 Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Maggie Dreyer commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time We will be removing the puppet cert command in Puppet 6 and replacing it with a new CLI tool under the puppetserver ca command, that uses the API to revoke certs. It seems like if this is the only entry point for revoking certificates, we may either be able to do what Moses described above and lock the file to the puppetserver master process, or that may be unnecessary because short of messing with the file manually, there will be no entrypoint besides the API for updating it. We will need to verify that none of the auxiliary PE tools (e.g. node purge) have their own ways of revoking the cert without going through puppet cert or the API. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Maggie Dreyer commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time I'm thinking that fixing this is part of an effort we discussed as part of scoping Puppet 6, to streamline cert revocation, which is currently unreasonably complicated. We had discussed the possibility of making it HTTP-API-only, via an endpoint that was smart enough to perform all the relevant revocation tasks based on detected deployment (e.g. remove the node from PuppetDB if PDB is set up), at least within the scope of FOSS. This kind of solution is in line with the option Moses names above as the most likely best path, in that it would necessarily restrict access and would be easier to enforce serial updates. Add Comment This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Justin Stoller updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Justin Stoller Sprint: Platform Core Grooming Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Craig Gomes updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Craig Gomes Sprint: Platform Core KANBAN Grooming Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Justin Stoller commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time I assume we should move this out of the active sprint and into the backlog, since it looks like it needs to go back and be prioritized with other CA work? Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Eric Sorenson assigned an issue to Eric Sorenson Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Eric Sorenson Assignee: Eric Sorenson Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Craig Gomes updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Craig Gomes Team: Organizational Scale Platform Core Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Craig Gomes updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Craig Gomes Team: Platform Core Organizational Scale Add Comment This message was sent by Atlassian JIRA (v7.0.2#70111-sha1:88534db) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza assigned an issue to Unassigned Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Assignee: Moses Mendoza Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time After a bit of investigation on this, I'm coming up blank on correct/rigorous solutions. Things considered: testing I created a test to perform concurrent revocations in separate processes, each with its own ca object instance. Perhaps it goes without saying, but this test does not pass, even with small numbers - 5 to 100 consistently fails to actually retain all the revocations in the CRL on disk. crl file locking I rewrote the code to obtain an exclusive lock flock(File::LOCK_EX|File::LOCK_NB on the CRL file via puppet's exclusive_open method(s). This proved insufficient - many revocations are still lost on concurrent update. I believe this is because once the ca initializes a crl object, including writing it to disk, that crl object is never updated from disk within the lifespan of the ca. after initialization, the data flow is one directional - into the ca, which passes on to the crl, which writes to disk. If many ca objects are initialized concurrently, they all have distinct crl objects based on the same beginning file on disk. Any given one might update the crl and write it to disk, but the others still have their (now stale) original versions. We never update the object in memory from new contents on disk, so it just gets overwritten (now exclusively overwritten with the lock evicting the "cache" I then considered the crl object in memory as a cache of the file on disk - which means having a cache eviction when it gets stale. Thus I rewrote the revocation to check if the object in memory matched the one on disk before writing over it. The challenge here was that the timestamps we can use aren't granular enough. The `last_update` field of the crl object drops everything beyond seconds, and we can't reliably expect anything beyond seconds from a filesystem based check like mtime. There's also a performance penalty from re-reading the crl file on disk multiple times, but I think that would have been ok, if it worked. force serial access Instead of just obtaining a lock when a ca writes the new CRL file, we could obtain an exclusive read lock on the file too. I.e., only one ca process can even access the crl file for its own crl object at any given time. Any attempts from other processes to do the same would block or fail. This seems like it might be viable if the use-case is exclusively command-line driven crl actions like `puppet cert revoke` which are short-lived. But I wonder about the implications for long running processes like `puppet master` - would that mean they would have exclusive access to the crl file the whole time, making the cli tool unusable while it was running? Need to do a bit of investigation there, but it also feels slightly suboptimal. May be the best path. merge with file on disk An idea I haven't thought entirely through yet is that rather than just overwriting the crl file on disk with the one in memory, we could try to merge the contents of the two. ie, instead of just write, given a crl on disk with revoked certs x y z, we lock the crl file for read/write, read that into memory, and augment the existing revocations with the new revoked certs from the current ca invocation. i'm not sure if this solves the problem or just moves it
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions.*In Scope** - Confirm that PE in the Cloud etc will be leveraging puppet cert command line tools (as opposed to modifying CRL directly or revoking certs via server http api) - confirmed * If so,** Investigate filesystem-based locking of CRL file in ruby puppet on update* * Limited to updates to CRL via the puppet cert CLI*Out of Scope** Changes to puppet server CRL handling / API - PUP-7991 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Sprint: Platform Core Hopper KANBAN Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza assigned an issue to Moses Mendoza Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Assignee: Moses Mendoza Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Story Points: 1 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Craig Gomes updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Craig Gomes Sprint: Platform Core Grooming Hopper Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time Nick Walker just trying to make the tickets more granular - filed PUP-7991 for server-side effort Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions.*In Scope** Confirm that PE in the Cloud etc will be leveraging puppet cert command line tools (as opposed to modifying CRL directly or revoking certs via server http api)* If so,** Investigate filesystem-based locking of CRL file in ruby puppet on update** Limited to updates to CRL via the puppet cert CLI*Out of Scope** Changes to puppet server CRL handling / API - PUP-7991 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions. *In Scope** Confirm that PE in the Cloud etc will be leveraging puppet cert command line tools (as opposed to modifying CRL directly or revoking certs via server http api)* If so,** Investigate filesystem-based locking of CRL file in ruby puppet on update** Limited to updates to CRL via the puppet cert CLI*Out of Scope** Changes to puppet server CRL handling / API Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Acceptance Criteria: Testbed is success in PE in the Cloud etc. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Sprint: Platform Core Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Owen Rodabaugh updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Owen Rodabaugh CS Priority: Needs Priority Major CS Impact: Faced by anyone with large scale decommissioning of nodes. CS Severity: 4 - Major CS Business Value: 4 - $ CS Frequency: 3 - 25-50% of Customers Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Past Haus updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Past Haus Labels: AWS1 Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Charlie Sharpsteen updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Charlie Sharpsteen CS Priority: Needs Priority Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Karen Van der Veer Sprint: Platform Core Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Karen Van der Veer Sprint: Platform Core Grooming Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Nick Walker updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Nick Walker Priority: Normal Major Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Nick Walker commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time Paul Raines something like this should work. Stop the puppetserver and puppet agent processes on the CA: sudo puppet resource service puppet ensure=stopped sudo puppet resource service puppetserver ensure=stopped Still on the CA, move and backup the existing ca_crl.pem and crl.pem files: mv /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem-bk && mv /etc/puppetlabs/puppet/ssl/crl.pem /etc/puppetlabs/puppet/ssl/crl.pem-bk Generate a new crl by issuing and revoking a dummy certificate: puppet cert generate test puppet cert clean test Restart the agent and puppetserver processes:
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Paul Raines commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time What is the proper way to recover from corrupted CRL? Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Karen Van der Veer updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Karen Van der Veer Team: Systems Engineering Platform Core Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Moses Mendoza updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Moses Mendoza Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Nicholas Fagerlund updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Nicholas Fagerlund Labels: triaged Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Nicholas Fagerlund updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Nicholas Fagerlund Sub-team: Server Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Nicholas Fagerlund updated an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Change By: Nicholas Fagerlund Team: Systems Engineering Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Josh Cooper commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time This issue has a different cause than PUP-1627, but are related due to faulty locking. Add Comment This message was sent by Atlassian JIRA (v6.4.14#64029-sha1:ae256fe) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Steven Seed commented on PUP-2189 Re: The CRL can get corrupted if two workers revoke certs at same time Has there been any progress on this issue? Add Comment This message was sent by Atlassian JIRA (v6.4.13#64028-sha1:b7939e9) -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at https://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Erik Daln created an issue Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time Issue Type: Bug Assignee: Unassigned Created: 09/Apr/14 7:33 AM Priority: Normal Reporter: Erik Daln The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions. Add Comment This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Andy Parker commented on an issue Re: The CRL can get corrupted if two workers revoke certs at same time The specific case here is if multiple CRL requests are made to the master (via the HTTP API). Because the writes are unprotected the CRL file ends up corrupted sometimes. Add Comment Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
Jira (PUP-2189) The CRL can get corrupted if two workers revoke certs at same time
Title: Message Title Erik Daln commented on an issue Re: The CRL can get corrupted if two workers revoke certs at same time Also running puppet cert revoke from command line in parallell can cause it. Or one from command line or one from HTTP API etc. Add Comment Puppet / PUP-2189 The CRL can get corrupted if two workers revoke certs at same time The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions. This message was sent by Atlassian JIRA (v6.1.4#6159-sha1:44eaede) -- You received this message because you are subscribed to the Google Groups Puppet Bugs group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/d/optout.
