Puppet users - Apr 2012 - New CA, why do clients with old certs still work?

I''m in the process of scalling my puppet master to two server with a
separate CA.   My plan was to establish a new CA and reissue
certificates.   Part way through the process I noticed a behavior that
seems a bit alarming.

With one of my clients pointing to the new CA and new Puppetmaster but with
the old certificate I ran a ''puppetd --test --server
puppet01.mydomain''

I was expecting it to fail validation and then regenerate the client
certificate.  However it ran without error.

Thinking maybe it''s still hitting the orginal CA, I backed-up and wiped
the
ssl dir on the puppetmaster and restarted the pupetmaster to generate a new
CA.   The client still works.  There are no signed certificates for this
client on either puppetmaster or CA now and it still runs.

Am I missing something about how the puppetmaster decides it''s okay to
talk
to a client, or is all the security simply on the client side, and the
puppetmaster trusts any puppet client?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Fri, Apr 13, 2012 at 11:40 AM, Chip Schweiss
<chip.schweiss@gmail.com>wrote:
> I''m in the process of scalling my puppet master to two server with
a
> separate CA.   My plan was to establish a new CA and reissue
> certificates.   Part way through the process I noticed a behavior that
> seems a bit alarming.
>
> With one of my clients pointing to the new CA and new Puppetmaster but
> with the old certificate I ran a ''puppetd --test --server
> puppet01.mydomain''
>
> I was expecting it to fail validation and then regenerate the client
> certificate.  However it ran without error.
>
> Thinking maybe it''s still hitting the orginal CA, I backed-up and
wiped
> the ssl dir on the puppetmaster and restarted the pupetmaster to generate a
> new CA.   The client still works.  There are no signed certificates for
> this client on either puppetmaster or CA now and it still runs.
>
Are you sure you''re wiping the SSL dir that is actually in use? The
master
isn''t being started with --no-ca and you have another CA with autosign
on?

>
> Am I missing something about how the puppetmaster decides it''s
okay to
> talk to a client, or is all the security simply on the client side, and the
> puppetmaster trusts any puppet client?
>
The agent and master need certs signed by the same CA. Are you positive
this wasn''t the case? What puppet version?

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

On Apr 13, 1:40 pm, Chip Schweiss <chip.schwe...@gmail.com>
wrote:
> I''m in the process of scalling my puppet master to two server with
a
> separate CA.   My plan was to establish a new CA and reissue
> certificates.   Part way through the process I noticed a behavior that
> seems a bit alarming.
>
> With one of my clients pointing to the new CA and new Puppetmaster but with
> the old certificate I ran a ''puppetd --test --server
puppet01.mydomain''
>
> I was expecting it to fail validation and then regenerate the client
> certificate.  However it ran without error.
>
> Thinking maybe it''s still hitting the orginal CA, I backed-up and
wiped the
> ssl dir on the puppetmaster and restarted the pupetmaster to generate a new
> CA.   The client still works.  There are no signed certificates for this
> client on either puppetmaster or CA now and it still runs.
>
> Am I missing something about how the puppetmaster decides it''s
okay to talk
> to a client, or is all the security simply on the client side, and the
> puppetmaster trusts any puppet client?

I''m about confused about what you mean by the client "pointing to
the
new CA" and Puppet "hitting the original CA".  The CA is only
involved
in signing certificates.  It is not actively involved in verifying
certificates (though verifiers do use the CA''s certificate).
Admitedly, that distinction can be somewhat muddy when the
Puppetmaster serves as its own CA, but it more-or-less still holds.

If your client already has a valid certificate, regardless of which CA
signed it, then that is the certificate it will present.  If the
master can verify that certificate then it will accept the client.

If you want the master to reject certificates signed by the old CA,
then you must configure it so that it does not trust that CA.  Even
better, also revoke all the certificates signed by the old CA and
install the corresponding CRL in the master.


John

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.