[tor-bugs] #33587 [Internal Services/Tor Sysadmin Team]: puppet certificate revocation anomaly
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 10 18:15:36 UTC 2020
#33587: puppet certificate revocation anomaly
-----------------------------------------------------+-----------------
Reporter: anarcat | Owner: tpa
Type: defect | Status: new
Priority: High | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Major | Keywords:
Actual Points: | Parent ID:
Points: | Reviewer:
Sponsor: |
-----------------------------------------------------+-----------------
today i revoked cupani's cert by mistake:
{{{
anarcat at curie:tsa-misc(master)$ ./retire -v -H cupani.torproject.org
retire-all -p unifolium.torproject.org
checking for ganeti master on node unifolium.torproject.org
omeiense.torproject.org
polyanthum.torproject.org
instance cupani.torproject.org not running, no shutdown required
undefining instance cupani.torproject.org on host unifolium.torproject.org
error: failed to get domain 'cupani.torproject.org'
error: Domain not found: no domain with matching name
'cupani.torproject.org'
instance cupani.torproject.org not found on unifolium.torproject.org
assuming retired: error: failed to get domain 'cupani.torproject.org'
error: Domain not found: no domain with matching name
'cupani.torproject.org'
scheduling cupani.torproject.org disk deletion on host
unifolium.torproject.org
checking for path "/srv/vmstore/cupani.torproject.org/" on
unifolium.torproject.org
scheduling rm -rf "/srv/vmstore/cupani.torproject.org/" to run on
unifolium.torproject.org in 7 days
warning: commands will be executed using /bin/sh
job 4 at Tue Mar 17 17:45:00 2020
scheduling cupani.torproject.org backup disks removal on host
bungei.torproject.org
checking for path "/srv/backups/bacula/cupani.torproject.org/" on
bungei.torproject.org
scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on
bungei.torproject.org in 30 days
warning: commands will be executed using /bin/sh
job 22 at Thu Apr 9 17:45:00 2020
Notice: Revoked certificate with serial 30
Notice: Removing file Puppet::SSL::Certificate cupani.torproject.org at
'/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem'
cupani.torproject.org
Submitted 'deactivate node' for cupani.torproject.org with UUID
7b5e6d74-cb31-4929-9082-4a2bcda08b88
}}}
i was following the migration procedure as part of #33446 and got over
enthusiastic about the process. the cert shouldn't have been revoked, of
course, as the machine is still up.
but when i tried to see the effect of this, it seemed the certificate
still worked! cupani can do puppet runs without problems, even though the
on-disk certificate is gone:
{{{
root at pauli:~# ls -al
/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem
ls: cannot access
'/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem': No such file or
directory
}}}
so it seems our certificate revocation routine:
{{{
con.run('puppet node clean %s' % instance)
con.run('puppet node deactivate %s' % instance)
}}}
... does not work.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33587>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list