Status: Ready for Merge
Puppet Version: all
Puppet Server Version: irrelevant
OS Name/Version: irrelevant
Currently the Puppet agent/client does cache the Puppet CA file it first received forever. When this CA expires and get renewed on the configured `ca_server` or Puppetserver the cache still does not get updated with the new CA.
#puppet slack channel discussion: https://puppetcommunity.slack.com/messages/C0W298S9G/p1597402361432800
- add sane defaults that would recheck if the cached local CA does differ from the one used by the configured `ca_server` (e.g. 1 week or 2 weeks before CA expiration date)
- add Puppet client config settings to specify intervals for this CA check
- if the local cached CA file is expired check if the configured `ca_server` uses a different one and replace the local cached CA file
Currently the client does use the cached CA file forever even when the CA file has expired or the used CA file of the configured `ca_server` or Puppetserver was renewed.
This results in completely failed Puppet runs, which will never recover without external/manual intervention (removing the expired locally cached CA file)
- Create new puppet setting ca_refresh_interval, similar to crl_refresh_interval. It should by default. TBD the default setting
- The agent should use the If-Modified-Since HTTP header so that it only downloads the CA if it's been modified on the server.
- If the CA bundle is not updated, it should continue using its local CA.
- If the CA bundle is updated, the agent should use the new CA bundle for all future HTTPS connections.
- If the CA bundle is updated, then we must update the CRL, as there may be a new intermediate CA and we need a corresponding CRL to verify the full chain.
- What should the behavior be if the local CA cert is expired? Fail like we do now or always attempt to download a new CA bundle (even if the next update time hasn't occurred yet).
- Need to understand what happens if the CRL nextUpdate time expires. Do agent runs fail?
- Need unit tests for Puppet::SSL::StateMachine similar to what's done in spec/unit/ssl/state_machine_spec.rb for CRL refreshing.