The Puppet Labs Issue Tracker has Moved: https://tickets.puppetlabs.com
https://tickets.puppetlabs.com. See the following page for information on filing tickets with JIRA:
puppet client requests /production/certificate_revocation_list/ca even with certificate_revocation=false
|Affected Puppet version:||3.0.2||Branch:||https://github.com/puppetlabs/puppet/pull/1504|
|Keywords:||configuration settings certificate_revocation|
Ticket tracking is now hosted in JIRA: https://tickets.puppetlabs.com
[agent] classfile = $vardir/classes.txt localconfig = $vardir/localconfig server = puppet # don't check the master's CRL; see # https://projects.puppetlabs.com/issues/14550 # for why this doesn't work with chained certs certificate_revocation = false
yet, in the Apache logs,
10.12.130.18 - - [29/Nov/2012:13:15:02 -0800] "GET /production/certificate_revocation_list/ca? HTTP/1.1" 404 45 "-" "-"
which was harmless enough until #4680 landed; now this request causes a failure.
The client is 2.7.17, because 2.7.18 and up suffer from #15561, overly-board certificate name rejections. So this may have been fixed in newer clients.
#4 Updated by Dustin Mitchell over 3 years ago
The following patch against 3.0.2 fixes this for me:
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index 2242873..d8d8b30 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -258,9 +258,11 @@ ERROR_STRING @ssl_store.add_file(Puppet[:localcacert]) # If there's a CRL, add it to our store. - if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME) - @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation] - @ssl_store.add_crl(crl.content) + if Puppet.settings[:certificate_revocation] + if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME) + @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK + @ssl_store.add_crl(crl.content) + end end return @ssl_store end
I’ll make a pull request if it will be accepted..
#5 Updated by Charlie Sharpsteen about 3 years ago
- Category set to SSL
- Keywords set to configuration settings certificate_revocation
I have been able to reproduce the using our current development version (4b40119). Your patch appears to enforce the intended behavior of the code and a pull request would be much appreciated!
Thanks a bunch for taking the time to report this problem and write a patch.