Skip to content

puppet certificate revocation anomaly

today i revoked cupani's cert by mistake:

anarcat@curie:tsa-misc(master)$ ./retire -v -H cupani.torproject.org  retire-all -p unifolium.torproject.org 
checking for ganeti master on node unifolium.torproject.org
omeiense.torproject.org
polyanthum.torproject.org

instance cupani.torproject.org not running, no shutdown required
undefining instance cupani.torproject.org on host unifolium.torproject.org
error: failed to get domain 'cupani.torproject.org'
error: Domain not found: no domain with matching name 'cupani.torproject.org'

instance cupani.torproject.org not found on unifolium.torproject.org assuming retired: error: failed to get domain 'cupani.torproject.org'
error: Domain not found: no domain with matching name 'cupani.torproject.org'

scheduling cupani.torproject.org disk deletion on host unifolium.torproject.org
checking for path "/srv/vmstore/cupani.torproject.org/" on unifolium.torproject.org
scheduling rm -rf "/srv/vmstore/cupani.torproject.org/" to run on unifolium.torproject.org in 7 days
warning: commands will be executed using /bin/sh
job 4 at Tue Mar 17 17:45:00 2020
scheduling cupani.torproject.org backup disks removal on host bungei.torproject.org
checking for path "/srv/backups/bacula/cupani.torproject.org/" on bungei.torproject.org
scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on bungei.torproject.org in 30 days
warning: commands will be executed using /bin/sh
job 22 at Thu Apr  9 17:45:00 2020
Notice: Revoked certificate with serial 30
Notice: Removing file Puppet::SSL::Certificate cupani.torproject.org at '/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem'
cupani.torproject.org
Submitted 'deactivate node' for cupani.torproject.org with UUID 7b5e6d74-cb31-4929-9082-4a2bcda08b88

i was following the migration procedure as part of legacy/trac#33446 (moved) and got over enthusiastic about the process. the cert shouldn't have been revoked, of course, as the machine is still up.

but when i tried to see the effect of this, it seemed the certificate still worked! cupani can do puppet runs without problems, even though the on-disk certificate is gone:

root@pauli:~# ls -al /var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem
ls: cannot access '/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem': No such file or directory

so it seems our certificate revocation routine:

    con.run('puppet node clean %s' % instance)
    con.run('puppet node deactivate %s' % instance)

... does not work.