Gonzalo Servat
2012-Jan-10 01:11 UTC
[Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
Hi All, As per the subject, "puppet cert list --all" is showing a heap of revoked certificates, even though they''re not actually revoked. I can go on any of the revoked clients'' host and trigger a Puppet run, and it''ll work fine. The only reason why they appear revoked is because the systems were re-installed, so I''ve issued a puppetca --clean <host> and signed the new certificate, and it immediately appears as revoked (even though it''s not). Any ideas? Thanks Gonzalo -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jo Rhett
2012-Jan-10 01:18 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
The previous certificate was revoked, and the new one was signed. So what you are seeing is true… On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote:> As per the subject, "puppet cert list --all" is showing a heap of revoked certificates, even though they''re not actually revoked. I can go on any of the revoked clients'' host and trigger a Puppet run, and it''ll work fine. > > The only reason why they appear revoked is because the systems were re-installed, so I''ve issued a puppetca --clean <host> and signed the new certificate, and it immediately appears as revoked (even though it''s not). > > Any ideas? > > Thanks > Gonzalo > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Gonzalo Servat
2012-Jan-10 01:26 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
Thanks for your reply. I was expecting to see something like: + host (good fingerprint here) - host (revoked fingerprint here) (certificate revoked) ... but instead I just see the second line. I guess I just find it a bit confusing. - Gonzalo On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrhett@netconsonance.com> wrote:> The previous certificate was revoked, and the new one was signed. So what > you are seeing is true… > > On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: > > As per the subject, "puppet cert list --all" is showing a heap of revoked > certificates, even though they''re not actually revoked. I can go on any of > the revoked clients'' host and trigger a Puppet run, and it''ll work fine. > > The only reason why they appear revoked is because the systems were > re-installed, so I''ve issued a puppetca --clean <host> and signed the new > certificate, and it immediately appears as revoked (even though it''s not). > > Any ideas? > > Thanks > Gonzalo > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > Jo Rhett > Net Consonance : consonant endings by net philanthropy, open source and > other randomness > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Jo Rhett
2012-Jan-10 02:14 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
I agree. I would open a bug report :) On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote:> Thanks for your reply. > > I was expecting to see something like: > > + host (good fingerprint here) > - host (revoked fingerprint here) (certificate revoked) > > ... but instead I just see the second line. I guess I just find it a bit confusing. > > - Gonzalo > > On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrhett@netconsonance.com> wrote: > The previous certificate was revoked, and the new one was signed. So what you are seeing is true… > > On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: >> As per the subject, "puppet cert list --all" is showing a heap of revoked certificates, even though they''re not actually revoked. I can go on any of the revoked clients'' host and trigger a Puppet run, and it''ll work fine. >> >> The only reason why they appear revoked is because the systems were re-installed, so I''ve issued a puppetca --clean <host> and signed the new certificate, and it immediately appears as revoked (even though it''s not). >> >> Any ideas? >> >> Thanks >> Gonzalo >> >> -- >> You received this message because you are subscribed to the Google Groups "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > -- > Jo Rhett > Net Consonance : consonant endings by net philanthropy, open source and other randomness > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.-- Jo Rhett Net Consonance : consonant endings by net philanthropy, open source and other randomness -- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Gonzalo Servat
2012-Jan-10 02:54 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
Done :) https://projects.puppetlabs.com/issues/11854 On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett <jrhett@netconsonance.com> wrote:> I agree. I would open a bug report :) > > On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: > > Thanks for your reply. > > I was expecting to see something like: > > + host (good fingerprint here) > - host (revoked fingerprint here) (certificate revoked) > > ... but instead I just see the second line. I guess I just find it a bit > confusing. > > - Gonzalo > > On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrhett@netconsonance.com>wrote: > >> The previous certificate was revoked, and the new one was signed. So >> what you are seeing is true… >> >> On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: >> >> As per the subject, "puppet cert list --all" is showing a heap of revoked >> certificates, even though they''re not actually revoked. I can go on any of >> the revoked clients'' host and trigger a Puppet run, and it''ll work fine. >> >> The only reason why they appear revoked is because the systems were >> re-installed, so I''ve issued a puppetca --clean <host> and signed the new >> certificate, and it immediately appears as revoked (even though it''s not). >> >> Any ideas? >> >> Thanks >> Gonzalo >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> -- >> Jo Rhett >> Net Consonance : consonant endings by net philanthropy, open source and >> other randomness >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > > > -- > Jo Rhett > Net Consonance : consonant endings by net philanthropy, open source and > other randomness > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Nan Liu
2012-Jan-10 04:17 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
I couldn''t really reproduce it. I would check your CRL revocation and match it with your certificate serial number in puppet cert -p <certname>. openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text Certificate Revocation List (CRL): ... Revoked Certificates: Serial Number: 0A ... Serial Number: 0C ... puppet cert -p demo.puppetlabs.lan ... Serial Number: 13 (0xd) If these number match, it''s revoked. And if your puppet master is still accepting agents with revoked certs, it might be a CRL misconfiguration. It''s easy to tell if you resigned a cert by looking at inventory.txt (because the same CN will show up twice): cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt ... 0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT /CN=demo.puppetlabs.lan 0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT /CN=demo.puppetlabs.lan With all the info above, you should be able to tell 0xc is revoked, the server currently have 0xd which is still valid and puppet cert -la should show + demo.puppetlabs.lan. Thanks, Nan On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat <gservat@gmail.com> wrote:> Done :) > > https://projects.puppetlabs.com/issues/11854 > > > On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett <jrhett@netconsonance.com> wrote: >> >> I agree. I would open a bug report :) >> >> On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: >> >> Thanks for your reply. >> >> I was expecting to see something like: >> >> + host (good fingerprint here) >> - host (revoked fingerprint here) (certificate revoked) >> >> ... but instead I just see the second line. I guess I just find it a bit >> confusing. >> >> - Gonzalo >> >> On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrhett@netconsonance.com> >> wrote: >>> >>> The previous certificate was revoked, and the new one was signed. So >>> what you are seeing is true… >>> >>> On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: >>> >>> As per the subject, "puppet cert list --all" is showing a heap of revoked >>> certificates, even though they''re not actually revoked. I can go on any of >>> the revoked clients'' host and trigger a Puppet run, and it''ll work fine. >>> >>> The only reason why they appear revoked is because the systems were >>> re-installed, so I''ve issued a puppetca --clean <host> and signed the new >>> certificate, and it immediately appears as revoked (even though it''s not). >>> >>> Any ideas? >>> >>> Thanks >>> Gonzalo >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >>> >>> >>> -- >>> Jo Rhett >>> Net Consonance : consonant endings by net philanthropy, open source and >>> other randomness >>> >>> >>> -- >>> You received this message because you are subscribed to the Google Groups >>> "Puppet Users" group. >>> To post to this group, send email to puppet-users@googlegroups.com. >>> To unsubscribe from this group, send email to >>> puppet-users+unsubscribe@googlegroups.com. >>> For more options, visit this group at >>> http://groups.google.com/group/puppet-users?hl=en. >> >> >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. >> >> >> -- >> Jo Rhett >> Net Consonance : consonant endings by net philanthropy, open source and >> other randomness >> >> -- >> You received this message because you are subscribed to the Google Groups >> "Puppet Users" group. >> To post to this group, send email to puppet-users@googlegroups.com. >> To unsubscribe from this group, send email to >> puppet-users+unsubscribe@googlegroups.com. >> For more options, visit this group at >> http://groups.google.com/group/puppet-users?hl=en. > > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en.-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.
Gonzalo Servat
2012-Jan-10 05:21 UTC
Re: [Puppet Users] puppet cert list --all shows revoked certificates even though they''re not?
Thanks for your reply, Nan. I had a look at the ca_crl.pem and the "puppet cert -p <host>" output, and the serial number for the host is not listed in the revoked certificates list in ca_crl.pem, yet puppet cert -la shows the certificate as revoked for the host? - Gonzalo On Tue, Jan 10, 2012 at 3:17 PM, Nan Liu <nan@puppetlabs.com> wrote:> I couldn''t really reproduce it. I would check your CRL revocation and > match it with your certificate serial number in puppet cert -p > <certname>. > > openssl crl -in /etc/puppetlabs/puppet/ssl/ca/ca_crl.pem -noout -text > Certificate Revocation List (CRL): > ... > Revoked Certificates: > Serial Number: 0A > ... > Serial Number: 0C > ... > > puppet cert -p demo.puppetlabs.lan > ... > Serial Number: 13 (0xd) > > If these number match, it''s revoked. And if your puppet master is > still accepting agents with revoked certs, it might be a CRL > misconfiguration. It''s easy to tell if you resigned a cert by looking > at inventory.txt (because the same CN will show up twice): > > cat /etc/puppetlabs/puppet/ssl/ca/inventory.txt > ... > 0x000c 2011-12-13T21:58:43GMT 2016-12-12T21:58:43GMT > /CN=demo.puppetlabs.lan > 0x000d 2011-12-13T21:58:55GMT 2016-12-12T21:58:55GMT > /CN=demo.puppetlabs.lan > > With all the info above, you should be able to tell 0xc is revoked, > the server currently have 0xd which is still valid and puppet cert -la > should show + demo.puppetlabs.lan. > > Thanks, > > Nan > > On Mon, Jan 9, 2012 at 6:54 PM, Gonzalo Servat <gservat@gmail.com> wrote: > > Done :) > > > > https://projects.puppetlabs.com/issues/11854 > > > > > > On Tue, Jan 10, 2012 at 1:14 PM, Jo Rhett <jrhett@netconsonance.com> > wrote: > >> > >> I agree. I would open a bug report :) > >> > >> On Jan 9, 2012, at 5:26 PM, Gonzalo Servat wrote: > >> > >> Thanks for your reply. > >> > >> I was expecting to see something like: > >> > >> + host (good fingerprint here) > >> - host (revoked fingerprint here) (certificate revoked) > >> > >> ... but instead I just see the second line. I guess I just find it a bit > >> confusing. > >> > >> - Gonzalo > >> > >> On Tue, Jan 10, 2012 at 12:18 PM, Jo Rhett <jrhett@netconsonance.com> > >> wrote: > >>> > >>> The previous certificate was revoked, and the new one was signed. So > >>> what you are seeing is true… > >>> > >>> On Jan 9, 2012, at 5:11 PM, Gonzalo Servat wrote: > >>> > >>> As per the subject, "puppet cert list --all" is showing a heap of > revoked > >>> certificates, even though they''re not actually revoked. I can go on > any of > >>> the revoked clients'' host and trigger a Puppet run, and it''ll work > fine. > >>> > >>> The only reason why they appear revoked is because the systems were > >>> re-installed, so I''ve issued a puppetca --clean <host> and signed the > new > >>> certificate, and it immediately appears as revoked (even though it''s > not). > >>> > >>> Any ideas? > >>> > >>> Thanks > >>> Gonzalo > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to puppet-users@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> puppet-users+unsubscribe@googlegroups.com. > >>> For more options, visit this group at > >>> http://groups.google.com/group/puppet-users?hl=en. > >>> > >>> > >>> -- > >>> Jo Rhett > >>> Net Consonance : consonant endings by net philanthropy, open source and > >>> other randomness > >>> > >>> > >>> -- > >>> You received this message because you are subscribed to the Google > Groups > >>> "Puppet Users" group. > >>> To post to this group, send email to puppet-users@googlegroups.com. > >>> To unsubscribe from this group, send email to > >>> puppet-users+unsubscribe@googlegroups.com. > >>> For more options, visit this group at > >>> http://groups.google.com/group/puppet-users?hl=en. > >> > >> > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > >> > >> > >> -- > >> Jo Rhett > >> Net Consonance : consonant endings by net philanthropy, open source and > >> other randomness > >> > >> -- > >> You received this message because you are subscribed to the Google > Groups > >> "Puppet Users" group. > >> To post to this group, send email to puppet-users@googlegroups.com. > >> To unsubscribe from this group, send email to > >> puppet-users+unsubscribe@googlegroups.com. > >> For more options, visit this group at > >> http://groups.google.com/group/puppet-users?hl=en. > > > > > > -- > > You received this message because you are subscribed to the Google Groups > > "Puppet Users" group. > > To post to this group, send email to puppet-users@googlegroups.com. > > To unsubscribe from this group, send email to > > puppet-users+unsubscribe@googlegroups.com. > > For more options, visit this group at > > http://groups.google.com/group/puppet-users?hl=en. > > -- > You received this message because you are subscribed to the Google Groups > "Puppet Users" group. > To post to this group, send email to puppet-users@googlegroups.com. > To unsubscribe from this group, send email to > puppet-users+unsubscribe@googlegroups.com. > For more options, visit this group at > http://groups.google.com/group/puppet-users?hl=en. > >-- You received this message because you are subscribed to the Google Groups "Puppet Users" group. To post to this group, send email to puppet-users@googlegroups.com. To unsubscribe from this group, send email to puppet-users+unsubscribe@googlegroups.com. For more options, visit this group at http://groups.google.com/group/puppet-users?hl=en.