Details
-
Bug
-
Status: Closed
-
Normal
-
Resolution: Duplicate
-
PUP 3.7.1
-
None
-
None
-
CentOS 6 x86_64 Monolithic Puppet Master Running PE 3.7.1
CentOS 6 x86_64 Puppet Agent Running PE 3.7.1
CentOS 6 x86_64 Root & Intermediate CA
-
Froyo
-
3
-
Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
-
Major
-
2 - 5-25% of Customers
-
3 - Serious
-
5 - $$$$$$
-
By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert.
-
Bug Fix
-
Automate
Description
While trying to test the following configuration: https://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca
I found that trying to use the CRL of the Root CA or the Intermediate CA OR a bundled version of these did not work. Puppet Agent runs failed with the SSL error "unable to get certificate crl "
To work around this issue, I have had to disable CRL checking on the agent by using the following command 'puppet config set -section agent certificate_revocation false'.
We need a way to either accept a bundled CRL or have separate settings for the Root CA CRL and 'Issuer CA' CRL.
Attachments
Issue Links
- relates to
-
PUP-8654 Agents should save all CRLs downloaded from the server
-
- Closed
-
-
PUP-7845 Support leaf certificate CRL checking
-
- Closed
-
-
SERVER-895 SSL configuration with intermediate CA
-
- Closed
-
-
DOCUMENT-59 External CA - Support for CRL - Documentation Update
-
- Closed
-
-
PUP-6697 Allow full downloaded CA bundle to be stored to agent's localcacert file
-
- Closed
-