[PUP-10639] Refresh cached Puppet CA on Puppet client - Puppet Jira Server

XML

Word

Printable

Details

Type: New Feature
Status: Ready for Merge
Priority: Normal
Resolution: Unresolved
Affects Version/s: None
Fix Version/s: PUP 8.1.0
Component/s: None
Labels:
None

Acceptance Criteria:

Hide

The Puppet client does never fail, because of expired local cached CA File, if the CA used by the configured `ca_server` was renewed before expiration.

Show
The Puppet client does never fail, because of expired local cached CA File, if the CA used by the configured `ca_server` was renewed before expiration.
Epic Link:
Enterprise Maintainability: Certificate Management
Team:
Phoenix
Story Points:
5
Sprint:
Phoenix 2023-06-07

QA Risk Assessment:
Needs Assessment

Description

Puppet Version: all
Puppet Server Version: irrelevant
OS Name/Version: irrelevant

Currently the Puppet agent/client does cache the Puppet CA file it first received forever. When this CA expires and get renewed on the configured `ca_server` or Puppetserver the cache still does not get updated with the new CA.

#puppet slack channel discussion: https://puppetcommunity.slack.com/messages/C0W298S9G/p1597402361432800

Desired Behavior:

add sane defaults that would recheck if the cached local CA does differ from the one used by the configured `ca_server` (e.g. 1 week or 2 weeks before CA expiration date)
add Puppet client config settings to specify intervals for this CA check
if the local cached CA file is expired check if the configured `ca_server` uses a different one and replace the local cached CA file

Actual Behavior:

Currently the client does use the cached CA file forever even when the CA file has expired or the used CA file of the configured `ca_server` or Puppetserver was renewed.

This results in completely failed Puppet runs, which will never recover without external/manual intervention (removing the expired locally cached CA file)

Grooming:

Create new puppet setting ca_refresh_interval, similar to crl_refresh_interval. It should by default. TBD the default setting
The agent should use the If-Modified-Since HTTP header so that it only downloads the CA if it's been modified on the server.
If the CA bundle is not updated, it should continue using its local CA.
If the CA bundle is updated, the agent should use the new CA bundle for all future HTTPS connections.
If the CA bundle is updated, then we must update the CRL, as there may be a new intermediate CA and we need a corresponding CRL to verify the full chain.
What should the behavior be if the local CA cert is expired? Fail like we do now or always attempt to download a new CA bundle (even if the next update time hasn't occurred yet).
Need to understand what happens if the CRL nextUpdate time expires. Do agent runs fail?
Need unit tests for Puppet::SSL::StateMachine similar to what's done in spec/unit/ssl/state_machine_spec.rb for CRL refreshing.

Attachments

Issue Links

is duplicated by

PA-4086 Add Option to refresh CA file

Closed

relates to

PUP-9638 Add an option to verify the CA bundle download against a fingerprint

Resolved

PUP-8639 need seamless way to replace expiring CA certificate

Closed

Activity

People

Assignee:: Tony Vu

Reporter:: Andreas Paul

Votes:: 4 Vote for this issue

Watchers:: 11 Start watching this issue

Dates

Created:: 2020/08/20 4:40 AM

Updated:: 2023/06/02 9:02 AM