Ask Your Question

Why does Puppet run work even with CA service down?

asked 2013-09-22 05:48:24 -0600

Joseph Carlos gravatar image

updated 2013-09-22 05:49:00 -0600

I noticed that even if the Puppet CA service is down, the client will still get its puppet catalog from the master (although there will be an error message).

I did this:

  1. I turned off the Puppet CA service.

  2. I made a change to a Puppet client's model so that the next time it ran it should change something.

  3. I did a Puppet run on that Puppet client.

  4. The change was made, although this message appeared: err: /File[/var/lib/puppet/lib]: Failed to generate additional resources using 'eval_generate: Connection refused - connect(2).

So if the puppet run still ... (more)

edit retag flag offensive close merge delete



Are you sure you also got a new catalog or did you saw something like `using cached catalog`? Try running the agent with `--test` (disables all chaching mechanism)

Stefan gravatar imageStefan ( 2013-09-22 16:49:10 -0600 )edit

2 Answers

Sort by » oldest newest most voted

answered 2015-03-15 13:03:30 -0600

Joseph Carlos gravatar image

updated 2015-03-15 13:04:56 -0600

I had been misunderstanding how certificate revocation works in this context. When I revoke a Puppet node's certificate on the Puppet CA the revocation information is added to the Puppet CA's CRL. Currently, the Puppet Masters do not automatically download new CRLs.

So, I added a process so that when the certificate is revoked and the CRL updated, a signal is sent to all the Puppet Master's to download the new CRL and restart the Apache process. When I do this and then have the node whose certificate has been revoked attempt a Puppet run, I get a failure, which is as it should be.

A better solution would be for the Puppet CA to support OCSP and use Apache 2.4 which also supports OCSP.

Here is what PuppetLabs says on their SSL Configuration: External CA Support page:

Certificate revocation list (CRL) checking works in all three supported configurations, so long as the CRL file is distributed to the agents and masters using an “out of band” process. Puppet won’t automatically update the CRL on any of the components in the system.

edit flag offensive delete link more

answered 2013-09-22 14:06:31 -0600

Ancillas gravatar image

Once an SSL cert is signed by the CA, the CA is done. If Thawte is down, https doesn't stop working on sites that use Thawte signed certs.

edit flag offensive delete link more


That is not exactly correct. If your application does a certificate revocation check and Thawte's OCSP or CRL service is down, the application might decide to fail to authenticate ...(more)

Joseph Carlos gravatar imageJoseph Carlos ( 2013-09-22 15:07:35 -0600 )edit

That's a good point. Is it possible that the cert, validation in Puppet isn't that involved?

Ancillas gravatar imageAncillas ( 2013-09-22 15:27:38 -0600 )edit

Are you running puppet behind passenger? In this case apache should validate the SSL cert and I noticed that apache seems to only check the CRL on startup.

Stefan gravatar imageStefan ( 2013-09-22 16:47:41 -0600 )edit

I do run Puppet through Apache 2.2 and passenger (OCSP is supported by Apache 2.4). Some part of the Puppet process must notice that the Puppet CA service ...(more)

Joseph Carlos gravatar imageJoseph Carlos ( 2013-09-22 19:41:39 -0600 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2013-09-22 05:48:24 -0600

Seen: 228 times

Last updated: Mar 15 '15