Ask Your Question
1

Why does Puppet run work even with CA service down?

asked 2013-09-22 05:48:24 -0500

Joseph Carlos gravatar image

updated 2013-09-22 05:49:00 -0500

I noticed that even if the Puppet CA service is down, the client will still get its puppet catalog from the master (although there will be an error message).

I did this:

  1. I turned off the Puppet CA service.

  2. I made a change to a Puppet client's model so that the next time it ran it should change something.

  3. I did a Puppet run on that Puppet client.

  4. The change was made, although this message appeared: err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Connection refused - connect(2).

So if the puppet run still ... (more)

edit retag flag offensive close merge delete

Comments

1

Are you sure you also got a new catalog or did you saw something like `using cached catalog`? Try running the agent with `--test` (disables all chaching mechanism)

Stefan gravatar imageStefan ( 2013-09-22 16:49:10 -0500 )edit

2 Answers

Sort by » oldest newest most voted
0

answered 2015-03-15 13:03:30 -0500

Joseph Carlos gravatar image

updated 2015-03-15 13:04:56 -0500

I had been misunderstanding how certificate revocation works in this context. When I revoke a Puppet node's certificate on the Puppet CA the revocation information is added to the Puppet CA's CRL. Currently, the Puppet Masters do not automatically download new CRLs.

So, I added a process so that when the certificate is revoked and the CRL updated, a signal is sent to all the Puppet Master's to download the new CRL and restart the Apache process. When I do this and then have the node whose certificate has been revoked attempt a Puppet run, I get a failure, which is as it should be.

A better solution would be for the Puppet CA to support OCSP and use Apache 2.4 which also supports OCSP.

Here is what PuppetLabs says on their SSL Configuration: External CA Support page:

Certificate revocation list (CRL) checking works in all three supported configurations, so long as the CRL file is distributed to the agents and masters using an “out of band” process. Puppet won’t automatically update the CRL on any of the components in the system.

edit flag offensive delete link more
0

answered 2013-09-22 14:06:31 -0500

Ancillas gravatar image

Once an SSL cert is signed by the CA, the CA is done. If Thawte is down, https doesn't stop working on sites that use Thawte signed certs.

edit flag offensive delete link more

Comments

That is not exactly correct. If your application does a certificate revocation check and Thawte's OCSP or CRL service is down, the application might decide to fail to authenticate ...(more)

Joseph Carlos gravatar imageJoseph Carlos ( 2013-09-22 15:07:35 -0500 )edit

That's a good point. Is it possible that the cert, validation in Puppet isn't that involved?

Ancillas gravatar imageAncillas ( 2013-09-22 15:27:38 -0500 )edit
1

Are you running puppet behind passenger? In this case apache should validate the SSL cert and I noticed that apache seems to only check the CRL on startup.

Stefan gravatar imageStefan ( 2013-09-22 16:47:41 -0500 )edit

I do run Puppet through Apache 2.2 and passenger (OCSP is supported by Apache 2.4). Some part of the Puppet process must notice that the Puppet CA service ...(more)

Joseph Carlos gravatar imageJoseph Carlos ( 2013-09-22 19:41:39 -0500 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2013-09-22 05:48:24 -0500

Seen: 203 times

Last updated: Mar 15 '15