Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-2310

Puppet client does not update and does consult the crl during authentication

    Details

    • CS Priority:
      Reviewed
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      By default, puppet agents download their CRL from the CA once, but never refresh it. In 6.5.0 is is now possible to specify the `crl_refresh_interval` puppet setting. If specified as a duration, such as 8h, 7d, etc, then the agent will refresh its CRL whenever it next runs and the elapsed time since the CRL was last refreshed exceeds the duration.

      In general, the duration should be greater than the `runinterval`. Setting it to an equal or lesser value will cause the CRL to be refreshed on every agent run.

      If the agent downloads a new CRL, then it will use the new CRL for all subsequent network requests. If the refresh request fails or if the CRL is unchanged on the CA, then the agent run will continue using the local CRL it already has.
      Show
      By default, puppet agents download their CRL from the CA once, but never refresh it. In 6.5.0 is is now possible to specify the `crl_refresh_interval` puppet setting. If specified as a duration, such as 8h, 7d, etc, then the agent will refresh its CRL whenever it next runs and the elapsed time since the CRL was last refreshed exceeds the duration. In general, the duration should be greater than the `runinterval`. Setting it to an equal or lesser value will cause the CRL to be refreshed on every agent run. If the agent downloads a new CRL, then it will use the new CRL for all subsequent network requests. If the refresh request fails or if the CRL is unchanged on the CA, then the agent run will continue using the local CRL it already has.

      Description

      I my tests puppet client never updates it's /var/lib/puppet/ssl/ca/ca_crl.pem from the master
      even if I delete it - it is not fetched from master then client runs.

      Another issue is that puppet client does not consult the crl - after revoking cert of node dev2.internal on master - and manually copying /var/lib/puppet/ssl/ca/

      {ca_crl.pem,inventory.txt}

      to client mon1a.internal and restarting the client to make sure it can pickup the crl changes - I was still able to trigger client puppet run on mon1a.internal from dev2.internal.

      It looks like puppet - client does not take the crl into consideration then authenticating.

      The relevant config on mon1a.internal is
      <pre>

      1. allow all authenticated nodes to trigger puppet run
        path /run
        method save
        auth yes
        allow *
        </pre>
        this ACL comes first in the auth.conf file

      And this is the command I used to triger puppet run from dev2.internal
      <pre>
      curl --cert /var/lib/puppet/ssl/certs/dev2.internal.pem --key /var/lib/puppet/ssl/private_keys/dev2.internal.pem --cacert /var/lib/puppet/ssl/certH "Content-Type: text/pson" -d "{}" https://mon1a.internal:8139/production/run/dev2.internal
      </pre>
      Could these problems be taken care of?

      Thanks
      Alex

      Ed- description from #9205 which is closely related included

      We came across this in a weird way. Last night we reissued the CA certificate, which had expired. We then reissued the puppetmaster and puppetca certificate (which we had to do for RHEL4 and RHEL5 but all other systems were happy without this step). We then noticed on RHEL4 and RHEL5 that they were still complaining about cert validation, but ONLY for getting plugins and sending the report (it got a catalog and was able to get files for modules, etc, just fine). We did an strace and found this was the only times it was trying to get a CRL (and was failing). Why is this the only time the CRL was in play?

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                josh Josh Cooper
                Reporter:
                redmine.exporter redmine.exporter
                QA Contact:
                Eric Thompson
              • Votes:
                8 Vote for this issue
                Watchers:
                22 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support