The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com

This issue tracker is now in read-only archive mode and automatic ticket export has been disabled. Redmine users will need to create a new JIRA account to file tickets using https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:

Bug #17864

puppet client requests /production/certificate_revocation_list/ca even with certificate_revocation=false

Added by Dustin Mitchell over 3 years ago. Updated about 3 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:SSL
Target version:3.2.0
Affected Puppet version:3.0.2 Branch:https://github.com/puppetlabs/puppet/pull/1504
Keywords:configuration settings certificate_revocation

We've Moved!

Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com


Description

From puppet.conf:

[agent]
classfile = $vardir/classes.txt
localconfig = $vardir/localconfig
server = puppet
# don't check the master's CRL; see
#   https://projects.puppetlabs.com/issues/14550
# for why this doesn't work with chained certs
certificate_revocation = false

yet, in the Apache logs,

10.12.130.18 - - [29/Nov/2012:13:15:02 -0800] "GET /production/certificate_revocation_list/ca? HTTP/1.1" 404 45 "-" "-"

which was harmless enough until #4680 landed; now this request causes a failure.

The client is 2.7.17, because 2.7.18 and up suffer from #15561, overly-board certificate name rejections. So this may have been fixed in newer clients.


Related issues

Related to Puppet - Bug #4680: agent will never resend a certificate request, preventing... Closed 09/01/2010
Duplicated by Puppet - Bug #17880: When master is not a CA Duplicate

History

#1 Updated by Yuri Arabadji over 3 years ago

What if you set hostcrl to crl issued by CA? I have #17880, which is probably related to this one.

#2 Updated by Dustin Mitchell over 3 years ago

Setting hostcrl seems to have no effect.

#3 Updated by Dustin Mitchell over 3 years ago

  • Affected Puppet version set to 3.0.2

Still the case in 3.0.2 on the client.

#4 Updated by Dustin Mitchell over 3 years ago

The following patch against 3.0.2 fixes this for me:

diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 2242873..d8d8b30 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -258,9 +258,11 @@ ERROR_STRING
    @ssl_store.add_file(Puppet[:localcacert])

    # If there's a CRL, add it to our store.
-      if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
-        @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
-        @ssl_store.add_crl(crl.content)
+      if Puppet.settings[:certificate_revocation]
+        if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
+          @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+          @ssl_store.add_crl(crl.content)
+        end
    end
    return @ssl_store
    end

I’ll make a pull request if it will be accepted..

#5 Updated by Charlie Sharpsteen about 3 years ago

  • Category set to SSL
  • Keywords set to configuration settings certificate_revocation

Hi Dustin,

I have been able to reproduce the using our current development version (4b40119). Your patch appears to enforce the intended behavior of the code and a pull request would be much appreciated!

Thanks a bunch for taking the time to report this problem and write a patch.

#6 Updated by Dustin Mitchell about 3 years ago

  • Status changed from Unreviewed to In Topic Branch Pending Review
  • Branch set to https://github.com/puppetlabs/puppet/pull/1498

#7 Updated by Anonymous about 3 years ago

  • Status changed from In Topic Branch Pending Review to Accepted

#8 Updated by Dustin Mitchell about 3 years ago

  • Branch changed from https://github.com/puppetlabs/puppet/pull/1498 to https://github.com/puppetlabs/puppet/pull/1504

New pull request posted, with tests and everything.

#9 Updated by Adrien Thebo about 3 years ago

  • Status changed from Accepted to Merged - Pending Release
  • Target version set to 3.2.0

Merged into master as bea1d01.

This should be released in 3.2.0.

Thanks again for the contribution!

-Adrien

#10 Updated by Matthaus Owens about 3 years ago

  • Status changed from Merged - Pending Release to Closed

Released in Puppet 3.2.0-rc1

#11 Updated by Matthaus Owens about 3 years ago

Released in Puppet 3.2.0-rc1

Also available in: Atom PDF