Hi John, Thanks for the reply. It turns out "puppet cert clean" is not good enough, one has to restart either puppetmaster or the httpd service (I am running puppetmaster behind apache) to clean it up from memory.
------ On Friday, April 12, 2013 9:01:13 AM UTC-5, jcbollinger wrote: > > > > On Thursday, April 11, 2013 11:30:45 AM UTC-5, iamauser wrote: >> >> I revoked the certificate of one of the clients by issuing the following >> command on puppetmaster : >> >> puppet cert clean <hostname> >> >> Then tried to access the catalog from <hostname> via : >> >> puppet agent --server=puppet .... >> >> and I can still access the catalogs from the master without any error. >> >> I checked that the certificate is no longer there in the puppetmaster for >> this <hostname> : >> >> puppet cert list --all | grep <hostname> >> >> What have I misunderstood here ? >> > > > "puppet cert clean" does not revoke the certificate, it merely removes the > CSR and any signed certificate from the master. The certificates validity > is not changed by that action. If the certificate has not yet been > distributed to the client then there is little effective difference, but if > it has been then there is a big difference. I am only slightly surprised > that the master continues to accept the valid certificate after it has been > cleaned. > > What you want is "puppet cert revoke". That will add the client's > certificate to the master's CRL. If you intend to allow for a new > certificate for the same certname to be issued, then you should *follow*that > with "puppet cert clean". Otherwise, you must avoid cleaning the old > one. If you want to preserve the ability to revoke certificates, then you > must avoid cleaning them while they are still valid. > > > John > > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To post to this group, send email to puppet-users@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-users?hl=en. For more options, visit https://groups.google.com/groups/opt_out.
