The CRL tends to only be read at startup by the web server. So restart and it should work - if non puppetserver you should have configured it correctly though
--- R.I.Pienaar > On 16 Jun 2016, at 05:38, Dan Mahoney <goo...@gushi.org> wrote: > > Hey all, > > This terrifies me. > > As part of my certificate roll, I did, on my master: > > root@pm:~ # puppet cert clean somehost.foo.org > Notice: Revoked certificate with serial 43 > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/ca/signed/somehost.foo.org.pem' > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/certs/somehost.foo.org.pem' > > If I run it again, it re-revokes the cert, but of course there's nothing to > delete. Doing puppet ca revoke somehost.foo.org also redoes the revocation. > > However the agent happily continues to download catalogs. (Or more > accurately, the master continues to hand them out). > > I've verified that the cert is listed as revoked in *both* the host CRL as > well as the CA CRL, using the following: > > openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem > > (where it's listed as 2B, because it's in hex, but the revoke date is right). > > It's also in the host ca on the puppetmaster -- so the two places there's a > CA, it's listed with the right date. There's only one place each of these > files can be pointed to in puppet.conf, so it's not possible that I've set it > to be written, but not actually used, is it? > > -Dan > > -- > > --------Dan Mahoney-------- > Techie, Sysadmin, WebGeek > Gushi on efnet/undernet IRC > ICQ: 13735144 AIM: LarpGM > Site: http://www.gushi.org > --------------------------- > -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/6B30B7FE-23EE-482E-8331-6A09F4E39FE9%40devco.net. For more options, visit https://groups.google.com/d/optout.
