Puppet

I my tests puppet client never updates it’s /var/lib/puppet/ssl/ca/ca_crl.pem from the master even if I delete it – it is not fetched from master then client runs.

Another issue is that puppet client does not consult the crl – after revoking cert of node dev2.internal on master – and manually copying /var/lib/puppet/ssl/ca/{ca_crl.pem,inventory.txt} to client mon1a.internal and restarting the client to make sure it can pickup the crl changes – I was still able to trigger client puppet run on mon1a.internal from dev2.internal.

It looks like puppet – client does not take the crl into consideration then authenticating.

The relevant config on mon1a.internal is

 # allow all authenticated nodes to trigger puppet run
path /run
method save
auth yes
allow *

this ACL comes first in the auth.conf file

And this is the command I used to triger puppet run from dev2.internal

 curl --cert /var/lib/puppet/ssl/certs/dev2.internal.pem --key  /var/lib/puppet/ssl/private_keys/dev2.internal.pem --cacert /var/lib/puppet/ssl/certH "Content-Type: text/pson" -d "{}" https://mon1a.internal:8139/production/run/dev2.internal

Could these problems be taken care of?

Thanks Alex

Ed- description from #9205 which is closely related included

We came across this in a weird way. Last night we reissued the CA certificate, which had expired. We then reissued the puppetmaster and puppetca certificate (which we had to do for RHEL4 and RHEL5 but all other systems were happy without this step). We then noticed on RHEL4 and RHEL5 that they were still complaining about cert validation, but ONLY for getting plugins and sending the report (it got a catalog and was able to get files for modules, etc, just fine). We did an strace and found this was the only times it was trying to get a CRL (and was failing). Why is this the only time the CRL was in play?