[tor-bugs] #33587 [Internal Services/Tor Sysadmin Team]: puppet certificate revocation anomaly
Tor Bug Tracker & Wiki
blackhole at torproject.org
Tue Mar 10 18:38:20 UTC 2020
#33587: puppet certificate revocation anomaly
-------------------------------------------------+-------------------------
Reporter: anarcat | Owner: anarcat
Type: defect | Status:
| assigned
Priority: High | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Major | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Changes (by anarcat):
* status: new => assigned
* owner: tpa => anarcat
Comment:
restarting puppetdb makes the catalog runs fail, which is good:
{{{
root at cupani:~# pat
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: Error 500 on SERVER: Server Error: Could not retrieve facts for
cupani.torproject.org: Failed to execute
'/pdb/cmd/v1?checksum=83e3d9d88404f5f83bcd7db00c6466870eabd0a9&version=5&certname=cupani.torproject.org&command=replace_facts
&producer-timestamp=2020-03-10T18:28:13.324Z' on at least 1 of the
following 'server_urls': https://puppet.torproject.org:8081
Info: Retrieving pluginfacts
Info: Retrieving plugin
Info: Loading facts
Error: Could not retrieve catalog from remote server: Error 500 on SERVER:
Server Error: Failed to execute
'/pdb/cmd/v1?checksum=9c465faf636eea137c2391ed4cc74caf9daab225&version=5&certname=cupani.torproject.org&command=replace_facts
&producer-timestamp=2020-03-10T18:28:16.845Z' on at least 1 of the
following 'server_urls': https://puppet.torproject.org:8081
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
}}}
then I uncommented this line in the Apache configuration:
{{{
SSLCARevocationCheck chain
}}}
... and now the puppet run fails earlier:
{{{
root at cupani:~# pat
Warning: Unable to fetch my node definition, but the agent run will
continue:
Warning: SSL_connect returned=1 errno=0 state=error: sslv3 alert
certificate revoked
Info: Retrieving pluginfacts
Error: /File[/var/lib/puppet/facts.d]: Failed to generate additional
resources using 'eval_generate': SSL_connect returned=1 errno=0
state=error: sslv3 alert certificate revoked
Error: /File[/var/lib/puppet/facts.d]: Could not evaluate: Could not
retrieve file metadata for puppet:///pluginfacts: SSL_connect returned=1
errno=0 state=error: sslv3 alert certificate revoked
Info: Retrieving plugin
Error: /File[/var/lib/puppet/lib]: Failed to generate additional resources
using 'eval_generate': SSL_connect returned=1 errno=0 state=error: sslv3
alert certificate revoked
Error: /File[/var/lib/puppet/lib]: Could not evaluate: Could not retrieve
file metadata for puppet:///plugins: SSL_connect returned=1 errno=0
state=error: sslv3 alert certificate revoked
Info: Loading facts
Error: Could not retrieve catalog from remote server: SSL_connect
returned=1 errno=0 state=error: sslv3 alert certificate revoked
Warning: Not using cache on failed catalog
Error: Could not retrieve catalog; skipping run
Error: Could not send report: SSL_connect returned=1 errno=0 state=error:
sslv3 alert certificate revoked
}}}
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/33587#comment:1>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list