Details
Minor Description
After SERVER-85 puppetserver will sync the cacrl to the hostcrl if CA service is enabled. It is the default that a newly installed puppetserver will provide CA service.
https://tickets.puppetlabs.com/browse/SERVER-85
This turned out awkwardly for me because actually my puppet agent was not planning to use the local puppetserver as its CA. Once puppetserver was configured by the puppet agent, the puppet agent could no longer complete an agent run.
It would be better behaviour to check if the issuer of the on-disk cacrl matched the issuer of the puppet config's ca_server's offered CRL, and if not, do not replace the hostcrl.
It would be super-better if the agent just used the most up to date CRL from its ca_server. That discussion appears to already be happening over in PUP-2310.
I am going to mitigate this in puppet by templating bootstrap.cfg and then firing an exec to rm the hostcrl if the file changes. The agent always seems to happily re-download its CRL when the hostcrl is missing.
More details, before turning on CA-enabled puppetserver (ignore silly hostnames, they are VMs with names I had left over from years ago):
[root@puppetmaster2dev ~]# puppet config print --section agent server
puppetmaster1stage.me.com
[root@puppetmaster2dev ~]# openssl crl -noout -in /etc/puppetlabs/puppet/ssl/crl.pem -issuer
issuer=/CN=Puppet CA: puppetmaster1.me.com
After turning on the CA-enabled puppetserver:
[root@puppetmaster2dev ~]# openssl crl -noout -in /etc/puppetlabs/puppet/ssl/crl.pem -issuer
issuer=/CN=Puppet CA: puppetmaster2dev.hostopia.com
[root@puppetmaster2dev ~]# puppet agent --onetime --verbose --no-daemonize
Warning: Unable to fetch my node definition, but the agent run will continue:
Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Info: Retrieving pluginfacts
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Info: Retrieving plugin
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
Attachments
Issue Links
- relates to
-
SERVER-346 More surgical update of hostcrl from cacrl setting
-
- Closed
-
-
-
- Resolved
-
-
SERVER-85 Consider synchronizing hostcrl with cacrl during startup
-
- Closed
-
