Ask Your Question

How to download CRL?

asked 2014-10-30 17:33:58 -0600

Joseph Carlos gravatar image

updated 2014-10-31 09:37:33 -0600

I am trying to get a copy of the current CRL onto my PuppetMasters. The command I run on the PuppetMasters to accomplish this is:

puppet certificate_revocation_list find crl

I get a CRL but it is not the correct CRL. Note that the Puppet CA is on its own server, not on any PuppetMaster. What am I doing wrong?

UPDATE. Following cbarbour's suggestion, I tried this:

puppet certificate_revocation_list --debug --ca_port=8141 find crl --terminus rest

This does not give me an error, but nothing is output, either. Looking at the Apache log on the Puppet CA server, I see this entry:

GET /production/certificate_revocation_list/crl? HTTP/1.1" 404

which seems to imply that the Puppet CA service could not find what I am asking for.

edit retag flag offensive close merge delete


Does your master have the correct ca_server enabled in the main block of puppet.conf? Try passing the `--ca_server=whatever` argument to certificate_revocation_list.

cbarbour gravatar imagecbarbour ( 2014-10-30 18:29:47 -0600 )edit

2 Answers

Sort by ยป oldest newest most voted

answered 2014-11-03 10:56:12 -0600

joshc gravatar image

Since you are running the puppet certificate_revocation_list command on a host that is not the CA, you need to specify --terminus rest as you are doing. But you need to request the CRL whose name is ca, not crl, so the following should work:

puppet certificate_revocation_list --debug --ca_port=8141 find ca --terminus rest
edit flag offensive delete link more


Give this solution a try. I tested my solution on a vagrant box that was both a master and a CA. Please let us know if it works.

cbarbour gravatar imagecbarbour ( 2014-11-03 13:23:10 -0600 )edit

This works. It did not work before because, for reasons hidden in the past, the CRL pem file was being renamed to hide it from the Puppet CA.

Joseph Carlos gravatar imageJoseph Carlos ( 2014-11-04 12:17:22 -0600 )edit

answered 2014-10-31 16:12:34 -0600

cbarbour gravatar image

updated 2014-10-31 16:12:48 -0600

You're using the wrong terminus. Try this:

puppet certificate_revocation_list --ca_port=8141 find crl

This will use the default terminus, which is ca

edit flag offensive delete link more


Unfortunately, that gives me the same result: no output.

Joseph Carlos gravatar imageJoseph Carlos ( 2014-10-31 19:21:01 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2014-10-30 17:33:58 -0600

Seen: 214 times

Last updated: Nov 03 '14