class Puppet::SSL::StateMachine::NeedCRLs
If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey
. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts
downloaded a new CA for which we don't have a CRL
Public Instance Methods
next_state()
click to toggle source
# File lib/puppet/ssl/state_machine.rb 86 def next_state 87 Puppet.debug("Loading CRLs") 88 89 case Puppet[:certificate_revocation] 90 when :chain, :leaf 91 crls = @cert_provider.load_crls 92 if crls 93 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls) 94 95 crl_ttl = Puppet[:crl_refresh_interval] 96 if crl_ttl 97 last_update = @cert_provider.crl_last_update 98 now = Time.now 99 if last_update.nil? || now.to_i > last_update.to_i + crl_ttl 100 # set last updated time first, then make a best effort to refresh 101 @cert_provider.crl_last_update = now 102 next_ctx = refresh_crl(next_ctx, last_update) 103 end 104 end 105 else 106 next_ctx = download_crl(@ssl_context, nil) 107 end 108 else 109 Puppet.info("Certificate revocation is disabled, skipping CRL download") 110 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: []) 111 end 112 113 NeedKey.new(@machine, next_ctx) 114 rescue OpenSSL::X509::CRLError => e 115 Error.new(@machine, e.message, e) 116 rescue Puppet::HTTP::ResponseError => e 117 if e.response.code == 404 118 to_error(_('CRL is missing from the server'), e) 119 else 120 to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e) 121 end 122 end
Private Instance Methods
download_crl(ssl_ctx, last_update)
click to toggle source
# File lib/puppet/ssl/state_machine.rb 147 def download_crl(ssl_ctx, last_update) 148 route = @machine.session.route_to(:ca, ssl_context: ssl_ctx) 149 _, pem = route.get_certificate_revocation_list(if_modified_since: last_update, ssl_context: ssl_ctx) 150 crls = @cert_provider.load_crls_from_pem(pem) 151 # verify crls before saving 152 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls) 153 @cert_provider.save_crls(crls) 154 155 next_ctx 156 end
refresh_crl(ssl_ctx, last_update)
click to toggle source
# File lib/puppet/ssl/state_machine.rb 126 def refresh_crl(ssl_ctx, last_update) 127 Puppet.info(_("Refreshing CRL")) 128 129 # return the next_ctx containing the updated crl 130 download_crl(ssl_ctx, last_update) 131 rescue Puppet::HTTP::ResponseError => e 132 if e.response.code == 304 133 Puppet.info(_("CRL is unmodified, using existing CRL")) 134 else 135 Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message}) 136 end 137 138 # return the original ssl_ctx 139 ssl_ctx 140 rescue Puppet::HTTP::HTTPError => e 141 Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message}) 142 143 # return the original ssl_ctx 144 ssl_ctx 145 end