Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-3788

Puppet Agent does not support Chained CRLs


    • Type: Bug
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: PUP 3.7.1
    • Fix Version/s: None
    • Component/s: None
    • Labels:
    • Environment:

      CentOS 6 x86_64 Monolithic Puppet Master Running PE 3.7.1
      CentOS 6 x86_64 Puppet Agent Running PE 3.7.1
      CentOS 6 x86_64 Root & Intermediate CA

    • CS Priority:
    • CS Frequency:
      2 - 5-25% of Customers
    • CS Severity:
      3 - Serious
    • CS Business Value:
      5 - $$$$$$
    • CS Impact:
      By not supporting chained CRLS the agent would not know that it should not talk to a master with a revoke cert.
    • Release Notes:
      Bug Fix
    • QA Risk Assessment:


      While trying to test the following configuration: https://docs.puppetlabs.com/puppet/3/reference/config_ssl_external_ca.html#option-2-single-intermediate-ca

      I found that trying to use the CRL of the Root CA or the Intermediate CA OR a bundled version of these did not work. Puppet Agent runs failed with the SSL error "unable to get certificate crl "

      To work around this issue, I have had to disable CRL checking on the agent by using the following command 'puppet config set -section agent certificate_revocation false'.

      We need a way to either accept a bundled CRL or have separate settings for the Root CA CRL and 'Issuer CA' CRL.


        1. bc4day8u22sutut.delivery.puppetlabs.net.cert
          4 kB
          Stan Duffy
        2. bc4day8u22sutut.delivery.puppetlabs.net.key
          2 kB
          Stan Duffy
        3. ca_bundle.pem
          3 kB
          Stan Duffy
        4. ca_crl.pem
          0.7 kB
          Stan Duffy
        5. ca_crt.pem
          2 kB
          Stan Duffy
        6. ca_key.pem
          2 kB
          Stan Duffy
        7. crl_bundle.pem
          1 kB
          Stan Duffy
        8. intermediate.cert.pem
          2 kB
          Stan Duffy
        9. intermediate.key.pem
          2 kB
          Stan Duffy
        10. root_ca_crl.pem
          0.7 kB
          Stan Duffy
        11. to05sy0zz5zlsdj.delivery.puppetlabs.net.cert
          4 kB
          Stan Duffy
        12. to05sy0zz5zlsdj.delivery.puppetlabs.net.key
          2 kB
          Stan Duffy

          Issue Links



              • Assignee:
                stan Stan Duffy
                QA Contact:
                Stan Duffy
              • Votes:
                2 Vote for this issue
                21 Start watching this issue


                • Created:

                  Zendesk Support