Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1181

check if it's valid to sync cacrl to hostcrl before doing so

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Minor
    • Resolution: Duplicate
    • Affects Version/s: SERVER 2.2.1
    • Fix Version/s: None
    • Labels:
      None
    • Environment:
    • Template:

      Description

      After SERVER-85 puppetserver will sync the cacrl to the hostcrl if CA service is enabled. It is the default that a newly installed puppetserver will provide CA service.

      https://tickets.puppetlabs.com/browse/SERVER-85

      This turned out awkwardly for me because actually my puppet agent was not planning to use the local puppetserver as its CA. Once puppetserver was configured by the puppet agent, the puppet agent could no longer complete an agent run.

      It would be better behaviour to check if the issuer of the on-disk cacrl matched the issuer of the puppet config's ca_server's offered CRL, and if not, do not replace the hostcrl.

      It would be super-better if the agent just used the most up to date CRL from its ca_server. That discussion appears to already be happening over in PUP-2310.

      I am going to mitigate this in puppet by templating bootstrap.cfg and then firing an exec to rm the hostcrl if the file changes. The agent always seems to happily re-download its CRL when the hostcrl is missing.

      More details, before turning on CA-enabled puppetserver (ignore silly hostnames, they are VMs with names I had left over from years ago):

      [root@puppetmaster2dev ~]# puppet config print --section agent server
      puppetmaster1stage.me.com

      [root@puppetmaster2dev ~]# openssl crl -noout -in /etc/puppetlabs/puppet/ssl/crl.pem -issuer
      issuer=/CN=Puppet CA: puppetmaster1.me.com

      After turning on the CA-enabled puppetserver:

      [root@puppetmaster2dev ~]# openssl crl -noout -in /etc/puppetlabs/puppet/ssl/crl.pem -issuer
      issuer=/CN=Puppet CA: puppetmaster2dev.hostopia.com

      [root@puppetmaster2dev ~]# puppet agent --onetime --verbose --no-daemonize
      Warning: Unable to fetch my node definition, but the agent run will continue:
      Warning: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Info: Retrieving pluginfacts
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Error: /File[/opt/puppetlabs/puppet/cache/facts.d]: Could not evaluate: Could not retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Info: Retrieving plugin
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Failed to generate additional resources using 'eval_generate': SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Error: /File[/opt/puppetlabs/puppet/cache/lib]: Could not evaluate: Could not retrieve file metadata for puppet:///plugins: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Info: Loading facts
      Error: Could not retrieve catalog from remote server: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]
      Warning: Not using cache on failed catalog
      Error: Could not retrieve catalog; skipping run
      Error: Could not send report: SSL_connect returned=1 errno=0 state=error: certificate verify failed: [unable to get certificate CRL for /CN=puppetmaster1stage.me.com]

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                cwood Christopher Wood
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support