Thanks for your reply, Nan. I had a look at the ca_crl.pem and the "puppet cert -p <host>" output, and the serial number for the host is not listed in the revoked certificates list in ca_crl.pem, yet puppet cert -la shows the certificate as revoked for the host?
- Gonzalo On Tue, Jan 10, 2012 at 3:17 PM, Nan Liu <n...@puppetlabs.com> wrote: > I couldn't really reproduce it. I would check your CRL revocation and > match it with your certificate serial number in puppet cert -p > <certname>. > > openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text > Certificate Revocation List (CRL): > ... > Revoked Certificates: > Serial Number: 0A > ... > Serial Number: 0C > ... > > puppet cert -p demo.puppetlabs.lan > ... > Serial Number: 13 (0xd) > > If these number match, it's revoked. And if your puppet master is > still accepting agents with revoked certs, it might be a CRL > misconfiguration. It's easy to tell if you resigned a cert by looking > at inventory.txt (because the same CN will show up twice): > > cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt > ... > 0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT > /CN=demo.puppetlabs.lan > 0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT > /CN=demo.puppetlabs.lan > > With all the info above, you should be able to tell 0xc is revoked, > the server currently have 0xd which is still valid and puppet cert -la > should show + demo.puppetlabs.lan. > > Thanks, > > Nan > > On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat <gser...@gmail.com> wrote: > > Done :) > > > > https://projects.puppetlabs.com/issues/11854 > > > > > > On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett <jrh...@netconsonance.com> > wrote: > >> > >> I agree. I would open a bug report :) > >> > >> On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: > >> > >> Thanks for your reply. > >> > >> I was expecting to see something like: > >> > >> + host (good fingerprint here) > >> - host (revoked fingerprint here) (certificate revoked) > >> > >> ... but instead I just see the second line. I guess I just find it a bit > >> confusing. > >> > >> - Gonzalo > >> > >> On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrh...@netconsonance.com> > >> wrote: > >>> > >>> The previous certificate was revoked, and the new one was signed. So > >>> what you are seeing is true… > >>> > >>> On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: > >>> > >>> As per the subject, "puppet cert list --all" is showing a heap of > revoked > >>> certificates, even though they're not actually revoked. I can go on > any of > >>> the revoked clients' host and trigger a Puppet run, and it'll work > fine. > >>> > >>> The only reason why they appear revoked is because the systems were > >>> re-installed, so I've issued a puppetca --clean <host> and signed the > new > >>> certificate, and it immediately appears as revoked (even though it's > not). > >>> > >>> Any ideas? > >>> > >>> Thanks > >>> Gonzalo > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to puppet-users@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> puppet-users+unsubscr...@googlegroups.com. > >>> For more options, visit this group at > >>> http://groups.google.com/group/puppet-users?hl=en. > >>> > >>> > >>> -- > >>> Jo Rhett > >>> Net Consonance : consonant endings by net philanthropy, open source and > >>> other randomness > >>> > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to puppet-users@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> puppet-users+unsubscr...@googlegroups.com. > >>> For more options, visit this group at > >>> http://groups.google.com/group/puppet-users?hl=en. > >> > >> > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > >> > >> -- > >> Jo Rhett > >> Net Consonance : consonant endings by net philanthropy, open source and > >> other randomness > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscr...@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscr...@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscr...@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscr...@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
