3

We started getting an error from one of the Puppet-agents:

Could not send report: SSL_connect returned=1 errno=0 state=SSLv3 read finished A: sslv3 alert certificate revoked

Indeed, according to puppet cert list $h on the server, the certificate was revoked. I cleaned it on the master, deleted the /var/lib/puppet/ssl on the client and all was fine.

I then ran puppet cert list --all | grep revoked -- and found over 20 other clients listed as "revoked" too. Spot checking the list I found, that puppet-agent did not have a problem on any of these others.

My questions:

  1. What would cause Puppet to "revoke" a particular client's certificate? It certainly was not done by a human administrator...
  2. Why would such revokations not break things for most clients -- but only for some?

Using puppet-2.7.25 on the clients (RHEL6) and 2.7.18 on the server (RHEL5). Thanks!

Mikhail T.
  • 2,338
  • 1
  • 24
  • 55
  • For the ones listed as revoked, do they also have a different cert in inventory for that host that's not revoked? – Shane Madden Nov 25 '14 at 00:18
  • 1
    Are your certificates expiring? 2.7 has been EOL for some time now. And did someone run `puppet node clean` on the nodes? – Michael Hampton Nov 25 '14 at 00:20
  • No, actually -- most of the hosts involved are new and their certs are only a few months old. Besides, they aren't listed as "expired" -- but rather as "revoked". – Mikhail T. Nov 25 '14 at 00:38
  • Shane, no the "revoked" entries are the only ones for each host involved. – Mikhail T. Nov 25 '14 at 00:43
  • @MikhailT. What web server setup is your puppet master using - the default webrick, or something like Passenger/Apache? Also, what are the revocation timestamps listed as from `openssl crl -in /var/lib/puppet/ssl/crl.pem -noout -text`? – Shane Madden Nov 25 '14 at 00:49
  • Shane, using Apache. That openssl command -- run on one of the clients -- produced *a lot* of output. The revocations listed all claim `Key Compromise` as the reason and some of the dates go back to 2013... – Mikhail T. Nov 25 '14 at 00:55
  • @MikhailT. How about for the specific nodes that have had the key revoked and are still working - check when they were revoked? (You'll need their serial number - get it from `/var/lib/puppet/ssl/ca/inventory.txt`). I'm curious if Apache's restarted since those were added to the CRL - they might only still be working because it only loads the CRL on startup. If they're recent enough or if a bunch were revoked at once, check in `last` to see whether anyone was on at those times, and in bash history what puppet-related stuff was run around then? – Shane Madden Nov 25 '14 at 01:23

0 Answers0