Uploaded image for project: 'Puppet Enterprise'
  1. Puppet Enterprise
  2. ENTERPRISE-1284

HA replica can provide the wrong CRL to the master

    XMLWordPrintable

    Details

    • Template:
    • Method Found:
      Customer Feedback
    • Release Notes:
      Known Issue
    • Release Notes Summary:
      Running `puppet cert list` on a replica will create a CA on the replica.
    • QA Risk Assessment:
      Needs Assessment

      Description

      In an HA deployment, there is a scenario where the replica will deliver the wrong crl.pem to the master, which will cause an outage.

      When there is a `ca` on the replica, a catalog compiled on the replica will replace the `crl.pem` with the local `ca/ca_crl.pem` instead of the one from the master. When the `pe-puppetsever` o the master is not available to compile the master's catalog, the replica will deliver an incorrect crl.pem.

      Reproduction Steps
      1. Install PE 2018.1.9
      2. Provision and enable a replica
      3. On the replica run puppet cert list which will generate a new CA on the replica
      4. Stop the `pe-puppetserver` service on the master
      5. Run the puppet agent on the replica and observe that the `crl.pem` has been replaced with the wrong one
      6. Run the puppet agent on the master and observe that the `crl.pem` has been replaced with the wrong one

        Attachments

          Activity

            People

            Assignee:
            nick.walker Nick Walker
            Reporter:
            adrian.parreiras-horta Adrian Parreiras Horta
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved:

                Zendesk Support