puppet certificate revocation anomaly
today i revoked cupani's cert by mistake:
anarcat@curie:tsa-misc(master)$ ./retire -v -H cupani.torproject.org retire-all -p unifolium.torproject.org checking for ganeti master on node unifolium.torproject.org omeiense.torproject.org polyanthum.torproject.org instance cupani.torproject.org not running, no shutdown required undefining instance cupani.torproject.org on host unifolium.torproject.org error: failed to get domain 'cupani.torproject.org' error: Domain not found: no domain with matching name 'cupani.torproject.org' instance cupani.torproject.org not found on unifolium.torproject.org assuming retired: error: failed to get domain 'cupani.torproject.org' error: Domain not found: no domain with matching name 'cupani.torproject.org' scheduling cupani.torproject.org disk deletion on host unifolium.torproject.org checking for path "/srv/vmstore/cupani.torproject.org/" on unifolium.torproject.org scheduling rm -rf "/srv/vmstore/cupani.torproject.org/" to run on unifolium.torproject.org in 7 days warning: commands will be executed using /bin/sh job 4 at Tue Mar 17 17:45:00 2020 scheduling cupani.torproject.org backup disks removal on host bungei.torproject.org checking for path "/srv/backups/bacula/cupani.torproject.org/" on bungei.torproject.org scheduling rm -rf "/srv/backups/bacula/cupani.torproject.org/" to run on bungei.torproject.org in 30 days warning: commands will be executed using /bin/sh job 22 at Thu Apr 9 17:45:00 2020 Notice: Revoked certificate with serial 30 Notice: Removing file Puppet::SSL::Certificate cupani.torproject.org at '/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem' cupani.torproject.org Submitted 'deactivate node' for cupani.torproject.org with UUID 7b5e6d74-cb31-4929-9082-4a2bcda08b88
i was following the migration procedure as part of legacy/trac#33446 (moved) and got over enthusiastic about the process. the cert shouldn't have been revoked, of course, as the machine is still up.
but when i tried to see the effect of this, it seemed the certificate still worked! cupani can do puppet runs without problems, even though the on-disk certificate is gone:
root@pauli:~# ls -al /var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem ls: cannot access '/var/lib/puppet/ssl/ca/signed/cupani.torproject.org.pem': No such file or directory
so it seems our certificate revocation routine:
con.run('puppet node clean %s' % instance) con.run('puppet node deactivate %s' % instance)
... does not work.