On Wed, Jun 15, 2016 at 8:38 PM, Dan Mahoney <goo...@gushi.org> wrote:
> root@pm:~ # puppet cert clean somehost.foo.org > Notice: Revoked certificate with serial 43 > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/ca/signed/somehost.foo.org.pem' > Notice: Removing file Puppet::SSL::Certificate somehost.foo.org at > '/var/puppet/ssl/certs/somehost.foo.org.pem' > > If I run it again, it re-revokes the cert, but of course there's nothing > to delete. Doing puppet ca revoke somehost.foo.org also redoes the > revocation. > > However the agent happily continues to download catalogs. (Or more > accurately, the master continues to hand them out). > > I've verified that the cert is listed as revoked in *both* the host CRL as > well as the CA CRL, using the following: > > openssl crl -inform PEM -text -noout -in /var/puppet/ssl/ca/ca_crl.pem > > (where it's listed as 2B, because it's in hex, but the revoke date is > right). > > It's also in the host ca on the puppetmaster -- so the two places there's > a CA, it's listed with the right date. There's only one place each of > these files can be pointed to in puppet.conf, so it's not possible that > I've set it to be written, but not actually used, is it? > The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can SIGHUP it to force the reload without having to incur the overhead of a full server restart ( https://docs.puppet.com/puppetserver/latest/restarting.html). -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/puppet-users/CADJx5NmAt1SfkrkaO2EmmCN5-2%3DPDSAd76cXAr_TqPCA%3DJ0%3DaA%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
