Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3788

Puppet Agent does not support Chained CRLs

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Duplicate
    • PUP 3.7.1
    • None
    • None

    • CentOS 6 x86_64 Monolithic Puppet Master Running PE 3.7.1
      CentOS 6 x86_64 Puppet Agent Running PE 3.7.1
      CentOS 6 x86_64 Root & Intermediate CA

    • Major
    • 2 - 5-25% of Customers
    • 3 - Serious
    • 5 - $$$$$$
    • By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert.
    • Bug Fix
    • Automate

    Description

      While trying to test the following configuration: https://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca

      I found that trying to use the CRL of the Root CA or the Intermediate CA OR a bundled version of these did not work. Puppet Agent runs failed with the SSL error "unable to get certificate crl "

      To work around this issue, I have had to disable CRL checking on the agent by using the following command 'puppet config set -section agent certificate_revocation false'.

      We need a way to either accept a bundled CRL or have separate settings for the Root CA CRL and 'Issuer CA' CRL.

      Attachments

        1. bc4day8u22sutut.delivery.puppetlabs.net.cert
          4 kB
        2. bc4day8u22sutut.delivery.puppetlabs.net.key
          2 kB
        3. ca_bundle.pem
          3 kB
        4. ca_crl.pem
          0.7 kB
        5. ca_crt.pem
          2 kB
        6. ca_key.pem
          2 kB
        7. crl_bundle.pem
          1 kB
        8. intermediate.cert.pem
          2 kB
        9. intermediate.key.pem
          2 kB
        10. root_ca_crl.pem
          0.7 kB
        11. to05sy0zz5zlsdj.delivery.puppetlabs.net.cert
          4 kB
        12. to05sy0zz5zlsdj.delivery.puppetlabs.net.key
          2 kB

        Issue Links

          relates to

          Sub-task - The sub-task of the issue PUP-8654 Agents should save all CRLs downloaded from the server

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. PUP-7845 Support leaf certificate CRL checking

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          New Feature - A new feature of the product, which has yet to be developed. SERVER-895 SSL configuration with intermediate CA

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. DOCUMENT-59 External CA - Support for CRL - Documentation Update

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              Unassigned Unassigned
              stan Stan Duffy
              Stan Duffy Stan Duffy
              Votes:
              2 Vote for this issue
              Watchers:
              21 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support