Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Fixed
-
PUP 6.25.1, PUP 7.13.1
-
None
-
- OS: CentOS 7
- Puppet Agent: 7.13.1-1
- Puppet Server: 7.5.0-1
- Puppet DB: 7.8.0-1
-
Phoenix
-
3
-
Phoenix 2022-03-30, Phoenix 2022-04-13, Phoenix 2022-04-27
-
Needs Assessment
-
Bug Fix
-
Puppet agent now reloads its CA and CRL bundles during each run every 30 minutes. Previously it only loaded it when the process started, which meant the service had to be restarted if the CA/CRL files changed on disk.
-
Needs Assessment
Description
We have setup our puppet server's with a SubCA issued from our internal root. We have also setup a script to automatically load the Root CRLs into the PuppetServer CRL using the 'puppet-ca/v1/certificate_revocation_list' API endpoint. Finally, we have set crl_refresh_interval = 1d in puppet.conf on all of our agents.
However, the behavior we are seeing is that the CRL is only refreshed when puppet is manually run (eg. using puppet agent --test from a root shell) or if the existing CRL is >1d old the first time puppet runs after the service is restarted. If the puppet agent is just left running (automatic runs every 30 minutes) the CRL is never refreshed and eventually expires.
