Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3788

Puppet Agent does not support Chained CRLs

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.7.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      CentOS 6 x86_64 Monolithic Puppet Master Running PE 3.7.1
      CentOS 6 x86_64 Puppet Agent Running PE 3.7.1
      CentOS 6 x86_64 Root & Intermediate CA

    • CS Priority:
      Major
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      5 - $$$$$$
    • CS Impact:
      By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert.
    • Release Notes:
      Bug Fix
    • QA Risk Assessment:
      Automate

      Description

      While trying to test the following configuration: https://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca

      I found that trying to use the CRL of the Root CA or the Intermediate CA OR a bundled version of these did not work. Puppet Agent runs failed with the SSL error "unable to get certificate crl "

      To work around this issue, I have had to disable CRL checking on the agent by using the following command 'puppet config set -section agent certificate_revocation false'.

      We need a way to either accept a bundled CRL or have separate settings for the Root CA CRL and 'Issuer CA' CRL.

        Attachments

        1. to05sy0zz5zlsdj.delivery.puppetlabs.net.key
          2 kB
        2. to05sy0zz5zlsdj.delivery.puppetlabs.net.cert
          4 kB
        3. bc4day8u22sutut.delivery.puppetlabs.net.key
          2 kB
        4. bc4day8u22sutut.delivery.puppetlabs.net.cert
          4 kB
        5. ca_key.pem
          2 kB
        6. ca_crt.pem
          2 kB
        7. root_ca_crl.pem
          0.7 kB
        8. intermediate.key.pem
          2 kB
        9. intermediate.cert.pem
          2 kB
        10. ca_crl.pem
          0.7 kB
        11. ca_bundle.pem
          3 kB
        12. crl_bundle.pem
          1 kB

          Issue Links

            Activity

              jsd-sla-details-panel

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  stan Stan Duffy
                  QA Contact:
                  Stan Duffy
                • Votes:
                  2 Vote for this issue
                  Watchers:
                  21 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: