The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
CRLs on nodes other than the CA should occasionally update
|Affected Puppet version:||3.0.0||Branch:|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
Currently, agents cache the CRL file at
$ssldir/crl.pem from the CA a single time, and use the cached copy for certificate validation.
This is less than ideal, because clients seem to never update their cached revocation list unless it’s deleted or something else outside of normal operation occurs (correct me if I’m wrong on this?). Probably not too big of a deal for client agents' validation of the master that they’re connecting to – if you revoke a master’s cert, then you probably took the server down and don’t need to worry about the revoked cert being incorrectly treated as valid.
However, this is a potential problem for masters that aren’t the CA; they never get a new CRL even after it’s updated from a revoke, and they’ll happily authenticate client agents (or non-agents that have a cert for API use) whose certs have been long since revoked by the CA master.
Is there a good way to have agents attempt to pull a new CRL every so often (once a day or once a week?), while still being ok with their cached version if they’re unable to complete a re-fetch of a new copy of the CRL? It’s pretty easy to implement a module to update the CRL file occasionally, but this seems like it belongs in the agent code itself.
I also think it’d be nice to have the ability to set a shorter-than-five-year lifetime on the CRL to force CRL updates, but that’s likely a far more complicated and involved change (might as well just do the OCSP implementation in #10111 at that point, I’m guessing?).
By the way – the default auth.conf could probably stand to be updated to allow non-authenticated requests to
/certificate_revocation_list, as the current defaults block clients from getting the CRL when proxying
/certificate.* traffic from non-CA masters to the CA master.