Hello,
I've configured my puppetserver with an External CA
<https://docs.puppet.com/puppetserver/latest/external_ca_configuration.html>,
and everything was working as expected off the bat, but when I add the CRL
path, puppet agent runs on all hosts stops running. webserver.conf looks
like this:
webserver: {
> access-log-config: /etc/puppetlabs/puppetserver/request-logging.xml
> client-auth: want
> ssl-host: 0.0.0.0
> ssl-port: 8140
> ssl-cert: /etc/puppetlabs/puppet/ssl/certs/<hostname>
> ssl-key: /etc/puppetlabs/puppet/ssl/private_keys/<hostname>
> ssl-ca-cert: /etc/puppetlabs/puppet/ssl/ca/ca.crt
> ssl-cert-chain: /etc/puppetlabs/puppet/ssl/ca/ca_chain.pem
> ssl-crl-path: /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem
> }
At first there were not any errors appearing in the puppetserver logs, but
after changing the logback log level to DEBUG, I finally saw found errors
in the puppetserver.log file:
2017-03-21 16:28:11,652 DEBUG [qtp1057116152-68] [o.e.j.s.HttpConnection]
> javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Handshaker.checkThrown(Handshaker.java:1478)
> at sun.security.ssl.SSLEngineImpl.checkTaskThrown(SSLEngineImpl.java:535)
> at sun.security.ssl.SSLEngineImpl.readNetRecord(SSLEngineImpl.java:813)
> at sun.security.ssl.SSLEngineImpl.unwrap(SSLEngineImpl.java:781)
> at javax.net.ssl.SSLEngine.unwrap(SSLEngine.java:624)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:516)
> at
> org.eclipse.jetty.server.HttpConnection.onFillable(HttpConnection.java:239)
> at
> org.eclipse.jetty.io.AbstractConnection$2.run(AbstractConnection.java:540)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool.runJob(QueuedThreadPool.java:635)
> at
> org.eclipse.jetty.util.thread.QueuedThreadPool$3.run(QueuedThreadPool.java:555)
> at java.lang.Thread.run(Thread.java:745)
> Caused by: javax.net.ssl.SSLHandshakeException: General SSLEngine problem
> at sun.security.ssl.Alerts.getSSLException(Alerts.java:192)
> at sun.security.ssl.SSLEngineImpl.fatal(SSLEngineImpl.java:1728)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:304)
> at sun.security.ssl.Handshaker.fatalSE(Handshaker.java:296)
> at
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1906)
> at
> sun.security.ssl.ServerHandshaker.processMessage(ServerHandshaker.java:233)
> at sun.security.ssl.Handshaker.processLoop(Handshaker.java:1026)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:966)
> at sun.security.ssl.Handshaker$1.run(Handshaker.java:963)
> at java.security.AccessController.doPrivileged(Native Method)
> at sun.security.ssl.Handshaker$DelegatedTask.run(Handshaker.java:1416)
> at
> org.eclipse.jetty.io.ssl.SslConnection$DecryptedEndPoint.fill(SslConnection.java:612)
> ... 5 common frames omitted
> Caused by: sun.security.validator.ValidatorException: PKIX path validation
> failed: java.security.cert.CertPathValidatorException: Could not determine
> revocation status
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:352)
> at
> sun.security.validator.PKIXValidator.engineValidate(PKIXValidator.java:249)
> at sun.security.validator.Validator.validate(Validator.java:260)
> at
> sun.security.ssl.X509TrustManagerImpl.validate(X509TrustManagerImpl.java:324)
> at
> sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:279)
> at
> sun.security.ssl.X509TrustManagerImpl.checkClientTrusted(X509TrustManagerImpl.java:130)
> at
> sun.security.ssl.ServerHandshaker.clientCertificate(ServerHandshaker.java:1893)
> ... 12 common frames omitted
> Caused by: java.security.cert.CertPathValidatorException: Could not
> determine revocation status
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:135)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:219)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.validate(PKIXCertPathValidator.java:140)
> at
> sun.security.provider.certpath.PKIXCertPathValidator.engineValidate(PKIXCertPathValidator.java:79)
> at
> java.security.cert.CertPathValidator.validate(CertPathValidator.java:292)
> at sun.security.validator.PKIXValidator.doValidate(PKIXValidator.java:347)
> ... 18 common frames omitted
> Caused by: java.security.cert.CertPathValidatorException: Could not
> determine revocation status
> at
> sun.security.provider.certpath.RevocationChecker.buildToNewKey(RevocationChecker.java:1092)
> at
> sun.security.provider.certpath.RevocationChecker.verifyWithSeparateSigningKey(RevocationChecker.java:910)
> at
> sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:577)
> at
> sun.security.provider.certpath.RevocationChecker.checkCRLs(RevocationChecker.java:465)
> at
> sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:367)
> at
> sun.security.provider.certpath.RevocationChecker.check(RevocationChecker.java:337)
> at
> sun.security.provider.certpath.PKIXMasterCertPathValidator.validate(PKIXMasterCertPathValidator.java:125)
> ... 23 common frames omitted
Testing the CRL using openssl works as expected, after concatenating the CA
crt and the CRL crt, and running the openssl command below verifies the
cert hasn't been revoked.
$ openssl verify -crl_check -CAfile crl_ca.pem
> /etc/puppetlabs/puppet/ssl/certs/<hostname>.pem
> /etc/puppetlabs/puppet/ssl/certs/<hostname>.pem: OK
OpenSSL also verifies that certs have been revoked as well:
$ openssl verify -crl_check -CAfile crl_chain3.pem <revoked cert>.pem
> <revoked cert>.pem: O = <domain>, CN = <hostname>
> error 23 at 0 depth lookup:certificate revoked
Are there any additional setting needed to get Java working to honor the
CRL? Is there any resource for better logging to be able to narrow down the
issue? Is using a CRL with an external CA still supported in puppetserver,
or should I avoid using a CRL and use OCSP instead?
Any help or advice would be hugely appreciated.
Thanks a lot.
--
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to puppet-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/puppet-users/41dc58ec-a3b9-4eb8-9f83-ca3242a8013f%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
