class Puppet::SSL::StateMachine::NeedCACerts

Load existing CA certs or download them. Transition to NeedCRLs.

Public Class Methods

new(machine) click to toggle source
   # File lib/puppet/ssl/state_machine.rb
35 def initialize(machine)
36   super(machine, nil)
37   @ssl_context = @ssl_provider.create_insecure_context
38 end

Public Instance Methods

next_state() click to toggle source
   # File lib/puppet/ssl/state_machine.rb
40 def next_state
41   Puppet.debug("Loading CA certs")
42 
43   cacerts = @cert_provider.load_cacerts
44   if cacerts
45     next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
46   else
47     route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
48     _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
49     if @machine.ca_fingerprint
50       actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
51       expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
52       if actual_digest == expected_digest
53         Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
54                     { digest_type: @machine.digest, actual_digest: actual_digest })
55       else
56         e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
57         return Error.new(@machine, e.message, e)
58       end
59     end
60 
61     cacerts = @cert_provider.load_cacerts_from_pem(pem)
62     # verify cacerts before saving
63     next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
64     @cert_provider.save_cacerts(cacerts)
65   end
66 
67   NeedCRLs.new(@machine, next_ctx)
68 rescue OpenSSL::X509::CertificateError => e
69   Error.new(@machine, e.message, e)
70 rescue Puppet::HTTP::ResponseError => e
71   if e.response.code == 404
72     to_error(_('CA certificate is missing from the server'), e)
73   else
74     to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
75   end
76 end