class Puppet::SSL::StateMachine::NeedCRLs
If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don't have a CRL
Public Instance Methods
next_state()
click to toggle source
# File lib/puppet/ssl/state_machine.rb 96 def next_state 97 Puppet.debug("Loading CRLs") 98 99 case Puppet[:certificate_revocation] 100 when :chain, :leaf 101 crls = @cert_provider.load_crls 102 if crls 103 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls) 104 105 crl_ttl = Puppet[:crl_refresh_interval] 106 if crl_ttl 107 last_update = @cert_provider.crl_last_update 108 now = Time.now 109 if last_update.nil? || now.to_i > last_update.to_i + crl_ttl 110 # set last updated time first, then make a best effort to refresh 111 @cert_provider.crl_last_update = now 112 next_ctx = refresh_crl(next_ctx, last_update) 113 end 114 end 115 else 116 next_ctx = download_crl(@ssl_context, nil) 117 end 118 else 119 Puppet.info("Certificate revocation is disabled, skipping CRL download") 120 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: []) 121 end 122 123 NeedKey.new(@machine, next_ctx) 124 rescue OpenSSL::X509::CRLError => e 125 Error.new(@machine, e.message, e) 126 rescue Puppet::HTTP::ResponseError => e 127 if e.response.code == 404 128 to_error(_('CRL is missing from the server'), e) 129 else 130 to_error(_('Could not download CRLs: %{message}') % { message: e.message }, e) 131 end 132 end
Private Instance Methods
download_crl(ssl_ctx, last_update)
click to toggle source
# File lib/puppet/ssl/state_machine.rb 157 def download_crl(ssl_ctx, last_update) 158 route = @machine.session.route_to(:ca, ssl_context: ssl_ctx) 159 _, pem = route.get_certificate_revocation_list(if_modified_since: last_update, ssl_context: ssl_ctx) 160 crls = @cert_provider.load_crls_from_pem(pem) 161 # verify crls before saving 162 next_ctx = @ssl_provider.create_root_context(cacerts: ssl_ctx[:cacerts], crls: crls) 163 @cert_provider.save_crls(crls) 164 165 next_ctx 166 end
refresh_crl(ssl_ctx, last_update)
click to toggle source
# File lib/puppet/ssl/state_machine.rb 136 def refresh_crl(ssl_ctx, last_update) 137 Puppet.info(_("Refreshing CRL")) 138 139 # return the next_ctx containing the updated crl 140 download_crl(ssl_ctx, last_update) 141 rescue Puppet::HTTP::ResponseError => e 142 if e.response.code == 304 143 Puppet.info(_("CRL is unmodified, using existing CRL")) 144 else 145 Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message}) 146 end 147 148 # return the original ssl_ctx 149 ssl_ctx 150 rescue Puppet::HTTP::HTTPError => e 151 Puppet.warning(_("Failed to refresh CRL, using existing CRL: %{message}") % {message: e.message}) 152 153 # return the original ssl_ctx 154 ssl_ctx 155 end