Hey all,
This terrifies me.
As part of my certificate roll, I did, on my master:
root@pm:~ # puppet cert clean somehost.foo.org
Notice: Revoked certificate with serial 43
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/ca/signed/somehost.foo.org.pem'
Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at
'/var/puppet/ssl/certs/somehost.foo.org.pem'
If I run it again, it re-revokes the cert, but of course there's nothing
to delete. Doing puppet ca revoke somehost.foo.org also redoes the
revocation.
However the agent happily continues to download catalogs. (Or more
accurately, the master continues to hand them out).
I've verified that the cert is listed as revoked in *both* the host CRL as
well as the CA CRL, using the following:
openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem
(where it's listed as 2B, because it's in hex, but the revoke date is
right).
It's also in the host ca on the puppetmaster -- so the two places there's
a CA, it's listed with the right date. There's only one place each of
these files can be pointed to in puppet.conf, so it's not possible that
I've set it to be written, but not actually used, is it?
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
