On Fri, Oct 1, 2010 at 2:50 AM, Daniel Maher <d...@witbe.net> wrote:
>
> Thank you for the advice ; unfortunately, as i had already revoked the
> certificate, cleaning and re-issuing was not a possibility. I ended up
> biting the bullet and just wiping out and re-initialising the certificates
> across the board. Thank god for clusterssh.
>
Ah, I'm a step too late for you. I suppose this would be helpful if
someone run across this problem again.
Here's the steps to recover an accidental revocation:
List revoked certs in CRL to find the serial number:
# openssl crl -in /var/lib/puppet/ca/ca_crl.pem -noout -text
openssl crl -in ca/ca_crl.pem -noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
...
Revoked Certificates:
Serial Number: 11
Revocation Date: Sep 25 14:50:35 2010 GMT
...
Key Compromise
Serial Number: 19
Revocation Date: Sep 24 20:51:22 2010 GMT
...
Key Compromise
This matches with the history in inventory.txt:
# Inventory of signed certificates
# SERIAL NOT_BEFORE NOT_AFTER SUBJECT
...
0x0011 2010-09-22T11:03:55GMT 2015-09-21T11:03:55GMT /CN=foo
...
0x0019 2010-09-23T20:50:28GMT 2015-09-22T20:50:28GMT /CN=puppetmaster.training
In this case 0x0019 was a mistake:
Remove both the ca_crl.pem and crl.pem, revoke all compromised certs
and skip the ones that was a mistake and you are set:
# rm /var/lib/puppet/ca/ca_crl.pem
# rm /var/lib/puppet/crl.pem
# puppet cert --revoke foo
# openssl crl -in /var/lib/puppet/ca/ca_crl.pem -noout -text
At this point 0x0019 will no longer be in the list.
Thanks,
Nan
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-us...@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscr...@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.
