class Puppet::SSL::StateMachine::NeedCRLs

If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don't have a CRL

Public Instance Methods

next_state() click to toggle source
    # File lib/puppet/ssl/state_machine.rb
 86 def next_state
 87   Puppet.debug("Loading CRLs")
 88 
 89   case Puppet[:certificate_revocation]
 90   when :chain, :leaf
 91     crls = @cert_provider.load_crls
 92     if crls
 93       next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls)
 94 
 95       crl_ttl = Puppet[:crl_refresh_interval]
 96       if crl_ttl
 97         last_update = @cert_provider.crl_last_update
 98         now = Time.now
 99         if last_update.nil? || now.to_i > last_update.to_i + crl_ttl
100           # set last updated time first, then make a best effort to refresh
101           @cert_provider.crl_last_update = now
102           next_ctx = refresh_crl(next_ctx, last_update)
103         end
104       end
105     else
106       next_ctx = download_crl(@ssl_context, nil)
107     end
108   else
109     Puppet.info("Certificate revocation is disabled, skipping CRL download")
110     next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: [])
111   end
112 
113   NeedKey.new(@machine, next_ctx)
114 rescue OpenSSL::X509::CRLError => e
115   Error.new(@machine, e.message, e)
116 rescue Puppet::HTTP::ResponseError => e
117   if e.response.code == 404
118     to_error(_('CRL is missing from the server'), e)
119   else
120     to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e)
121   end
122 end

Private Instance Methods

download_crl(ssl_ctx, last_update) click to toggle source
    # File lib/puppet/ssl/state_machine.rb
147 def download_crl(ssl_ctx, last_update)
148   route = @machine.session.route_to(:ca, ssl_context: ssl_ctx)
149   _, pem = route.get_certificate_revocation_list(if_modified_since: last_update, ssl_context: ssl_ctx)
150   crls = @cert_provider.load_crls_from_pem(pem)
151   # verify crls before saving
152   next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls)
153   @cert_provider.save_crls(crls)
154 
155   next_ctx
156 end
refresh_crl(ssl_ctx, last_update) click to toggle source
    # File lib/puppet/ssl/state_machine.rb
126 def refresh_crl(ssl_ctx, last_update)
127   Puppet.info(_("Refreshing CRL"))
128 
129   # return the next_ctx containing the updated crl
130   download_crl(ssl_ctx, last_update)
131 rescue Puppet::HTTP::ResponseError => e
132   if e.response.code == 304
133     Puppet.info(_("CRL is unmodified, using existing CRL"))
134   else
135     Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
136   end
137 
138   # return the original ssl_ctx
139   ssl_ctx
140 rescue Puppet::HTTP::HTTPError => e
141   Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message})
142 
143   # return the original ssl_ctx
144   ssl_ctx
145 end