On Thu, 16 Jun 2016, Kurt Wall wrote:
The CRL needs to be reloaded to take effect. As of Puppet Server 2.3, you can
SIGHUP it to force the reload without having to incur the overhead of a full
server
restart (https://docs.puppet.com/puppetserver/latest/restarting.html).
Thanks Kurt, this helped!
I'd think doing a revoke would cause a forced reload of the CRL -- at
least if I'm using the built-in webrick puppetmaster (maybe it would
stat() the file and check the date to see if there's a reload?). I guess
I'd be wrong. As it's largely deprecated, suggesting improvements to it
seems sort of moot.
(It would also be nice if the CA had some kind of hook it could run when
you do a revoke -- like an apachectl graceful).
Reading up, it looks like if I'm using apache (which I just switched over
to), I can configure an OCSP responder on the same box, and have apache
check that on the fly, which would save apache from having to read a
static file. In that way, revoked really is revoked, immediately.
As mentioned in a previous thread, it would be good if puppet fired up its
own OCSP responder, and embedded the OCSP url into the certificates it
issues.
-Dan
--
--------Dan Mahoney--------
Techie, Sysadmin, WebGeek
Gushi on efnet/undernet IRC
ICQ: 13735144 AIM: LarpGM
Site: http://www.gushi.org
---------------------------
