Hi all, I''ve a second puppet server (test) where I copied ONLY ca* from prod server. This server is running 2.6.1 + mongrel with SSLVerifyClient optional. I have 2 strange behaviours which I''d like to comment with some expert user. 1.-) I''m running new clients against this "new" server, they request the sign, and then I can sign the client from master: Client# puppetd --server ser01-test.pic.es --test info: Creating a new SSL key for tditaller013.pic.es warning: peer certificate won''t be verified in this SSL session info: Caching certificate for ca warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session info: Creating a new SSL certificate request for client.pic.es info: Certificate Request fingerprint (md5): 6E:F9:CC:81:72:F1:E8:51:CE:BD:97:67:19:9B:6C:22 warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session warning: peer certificate won''t be verified in this SSL session Exiting; no certificate found and waitforcert is disabled server# puppetca --list client.pic.es # puppetca --sign client.pic.es notice: Signed certificate request for client.pic.es notice: Removing file Puppet::SSL::CertificateRequest client.pic.es at ''/var/lib/puppet/ssl/ca/requests/client.pic.es.pem'' that''s fine. But when I run an "old" client, which already have ca from prod server (which is the same a test one), it runs with no problem: Old-client# puppetd --server ser01-test.pic.es --test info: Caching catalog at /var/lib/puppet/localconfig.yaml notice: Starting catalog run notice: Finished catalog run in 0.29 seconds And I can''t see it at server side: # puppetca --list --all + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) *notice old-client is not listed. So, seems that old clients are attached to test server and cert security is not considered. I can clean its cert, but nothing happens: # puppetca --clean oldclient.pic.es notice: Revoked certificate with serial 1781 2.-) If I revoke (clean) a cert of a client, the cert is revoke but client is able to run against server: Server: # puppetca --list --all + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) # puppetca --clean client.pic.es notice: Revoked certificate with serial 2008 notice: Removing file Puppet::SSL::Certificate client.pic.es at ''/var/lib/puppet/ssl/ca/signed/client.pic.es.pem'' notice: Removing file Puppet::SSL::Certificate client.pic.es at ''/var/lib/puppet/ssl/certs/client.pic.es.pem'' client: # puppetd --server ser01-test.pic.es --test info: Caching catalog for client.pic.es info: Applying configuration version ''1285678851'' notice: Finished catalog run in 0.01 seconds Is it a desired behaviour? if yes, how may I revoke certs so clients can''t connect to master again? TIA, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On 28/09/10 15:26, Arnau Bria wrote:> Hi all, > > I''ve a second puppet server (test) where I copied ONLY ca* from prod > server. This server is running 2.6.1 + mongrel with SSLVerifyClient > optional. > > I have 2 strange behaviours which I''d like to comment with some expert > user. > > 1.-) > I''m running new clients against this "new" server, they request > the sign, and then I can sign the client from master: > [snipped] > that''s fine.That''s normal behaviour.> But when I run an "old" client, which already have ca from prod server > (which is the same a test one), it runs with no problem:This is normal too. The client knows the CA, it can validate the new master server certificate. The reverse is also true, the server can validate the client cert because it was signed by the same CA certificate (and it is not in the CRL).> Old-client# puppetd --server ser01-test.pic.es --test > info: Caching catalog at /var/lib/puppet/localconfig.yaml > notice: Starting catalog run > notice: Finished catalog run in 0.29 seconds > > And I can''t see it at server side: > # puppetca --list --all > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > *notice old-client is not listed.This is also normal. The client certificates *don''t* need to be listed to be validated and the communication to be secure. The client cert is "cached" on the master when signing it, but it hasn''t to be.> So, seems that old clients are attached to test server and cert > security is not considered.It is considered and security is enforced even when the certificate is not present on the master.> I can clean its cert, but nothing happens: > > # puppetca --clean oldclient.pic.es > notice: Revoked certificate with serial 1781Your certificate for oldclient is now revoked on *the test master*. It isn''t revoked on your production master.> 2.-) If I revoke (clean) a cert of a client, the cert is revoke but > client is able to run against server: > > Server: > > # puppetca --list --all > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > # puppetca --clean client.pic.es > notice: Revoked certificate with serial 2008 > notice: Removing file Puppet::SSL::Certificate client.pic.es at ''/var/lib/puppet/ssl/ca/signed/client.pic.es.pem'' > notice: Removing file Puppet::SSL::Certificate client.pic.es at ''/var/lib/puppet/ssl/certs/client.pic.es.pem'' > > client: > # puppetd --server ser01-test.pic.es --test > info: Caching catalog for client.pic.es > info: Applying configuration version ''1285678851'' > notice: Finished catalog run in 0.01 seconds > > > Is it a desired behaviour? if yes, how may I revoke certs so clients > can''t connect to master again?It shouldn''t. Check your nginx/apache configuration, it should have the necessary statements to check the crl. For instance on my nginx master: ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; You also need a nginx version that supports the CRL (ie >= 0.7.64) -- Brice Figureau My Blog: http://www.masterzen.fr/ -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
On Sun, 03 Oct 2010 11:54:45 +0200 Brice Figureau wrote: [...]> > But when I run an "old" client, which already have ca from prod > > server (which is the same a test one), it runs with no problem: > > This is normal too. The client knows the CA, it can validate the new > master server certificate. The reverse is also true, the server can > validate the client cert because it was signed by the same CA > certificate (and it is not in the CRL).Ok, it''s not in CRL. miss that. [...] thanks for the rest of explanation.> > 2.-) If I revoke (clean) a cert of a client, the cert is revoke but > > client is able to run against server: > > > > Server: > > > > # puppetca --list --all > > + test.pic.es (BB:1A:38:12:F8:83:EF:C6:D6:93:C2:1E:EB:FD:E2:89) > > + client.pic.es (87:08:04:8F:9B:CE:17:F6:1A:56:15:90:15:72:92:09) > > > > # puppetca --clean client.pic.es > > notice: Revoked certificate with serial 2008 > > notice: Removing file Puppet::SSL::Certificate client.pic.es at > > ''/var/lib/puppet/ssl/ca/signed/client.pic.es.pem'' notice: Removing > > file Puppet::SSL::Certificate client.pic.es at > > ''/var/lib/puppet/ssl/certs/client.pic.es.pem'' > > > > client: > > # puppetd --server ser01-test.pic.es --test > > info: Caching catalog for client.pic.es > > info: Applying configuration version ''1285678851'' > > notice: Finished catalog run in 0.01 seconds > > > > > > Is it a desired behaviour? if yes, how may I revoke certs so clients > > can''t connect to master again? > > It shouldn''t. Check your nginx/apache configuration, it should have > the necessary statements to check the crl. > For instance on my nginx master: > ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem; > > You also need a nginx version that supports the CRL (ie >= 0.7.64)Will do, thanks for your reply, Arnau -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.