Details
-
Type:
Bug
-
Status: Closed
-
Priority:
Normal
-
Resolution: Duplicate
-
Affects Version/s: PUP 3.7.1
-
Fix Version/s: None
-
Component/s: Puppet Server
-
Labels:
-
Environment:
CentOS 6 x86_64 Monolithic Puppet Master Running PE 3.7.1
CentOS 6 x86_64 Puppet Agent Running PE 3.7.1
CentOS 6 x86_64 Root & Intermediate CA
-
Template:customfield_10700 62370
-
Epic Link:
-
Team:Server
-
Story Points:3
-
Sprint:Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
-
CS Priority:Major
-
CS Frequency:2 - 5-25% of Customers
-
CS Severity:3 - Serious
-
CS Business Value:5 - $$$$$$
-
CS Impact:By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert.
-
Release Notes:Bug Fix
-
QA Risk Assessment:Automate
Description
While trying to test the following configuration: https://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca
I found that trying to use the CRL of the Root CA or the Intermediate CA OR a bundled version of these did not work. Puppet Agent runs failed with the SSL error "unable to get certificate crl "
To work around this issue, I have had to disable CRL checking on the agent by using the following command 'puppet config set -section agent certificate_revocation false'.
We need a way to either accept a bundled CRL or have separate settings for the Root CA CRL and 'Issuer CA' CRL.
Attachments
Issue Links
- relates to
-
PUP-8654 Agents should save all CRLs downloaded from the server
-
- Closed
-
-
PUP-7845 Support leaf certificate CRL checking
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-
-
-
- Closed
-