Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-10639

Refresh cached Puppet CA on Puppet client



    • New Feature
    • Status: Ready for Merge
    • Normal
    • Resolution: Unresolved
    • None
    • PUP 8.1.0
    • None
    • None
    • Hide

      The Puppet client does never fail, because of expired local cached CA File, if the CA used by the configured `ca_server` was renewed before expiration.

      The Puppet client does never fail, because of expired local cached CA File, if the CA used by the configured `ca_server` was renewed before expiration.
    • Phoenix
    • 5
    • Phoenix 2023-06-07
    • Needs Assessment


      Puppet Version: all
      Puppet Server Version: irrelevant
      OS Name/Version: irrelevant

      Currently the Puppet agent/client does cache the Puppet CA file it first received forever. When this CA expires and get renewed on the configured `ca_server` or Puppetserver the cache still does not get updated with the new CA.

      #puppet slack channel discussion: https://puppetcommunity.slack.com/messages/C0W298S9G/p1597402361432800

      Desired Behavior:

      • add sane defaults that would recheck if the cached local CA does differ from the one used by the configured `ca_server` (e.g. 1 week or 2 weeks before CA expiration date)
      • add Puppet client config settings to specify intervals for this CA check
      • if the local cached CA file is expired check if the configured `ca_server` uses a different one and replace the local  cached CA file

      Actual Behavior:

      Currently the client does use the cached CA file forever even when the CA file has expired or the used CA file of the configured `ca_server` or Puppetserver was renewed.

      This results in completely failed Puppet runs, which will never recover without external/manual intervention (removing the expired locally cached CA file)


      • Create new puppet setting ca_refresh_interval, similar to crl_refresh_interval. It should by default. TBD the default setting
      • The agent should use the If-Modified-Since HTTP header so that it only downloads the CA if it's been modified on the server.
      • If the CA bundle is not updated, it should continue using its local CA.
      • If the CA bundle is updated, the agent should use the new CA bundle for all future HTTPS connections.
      • If the CA bundle is updated, then we must update the CRL, as there may be a new intermediate CA and we need a corresponding CRL to verify the full chain.
      • What should the behavior be if the local CA cert is expired? Fail like we do now or always attempt to download a new CA bundle (even if the next update time hasn't occurred yet).
      • Need to understand what happens if the CRL nextUpdate time expires. Do agent runs fail?
      • Need unit tests for Puppet::SSL::StateMachine similar to what's done in spec/unit/ssl/state_machine_spec.rb for CRL refreshing.


        Issue Links



              tony.vu Tony Vu
              xorpaul Andreas Paul
              4 Vote for this issue
              11 Start watching this issue



                Zendesk Support