[PUP-2189] The CRL can get corrupted if two workers revoke certs at same time - Puppet Jira Server

XML

Word

Printable

Acceptance Criteria:

Hide

Testbed is success in PE in the Cloud etc.

Show
Testbed is success in PE in the Cloud etc.
Epic Link:
Improve Certificate Revocation
Team:
Froyo
Story Points:
1

The CRL file (and many other SSL related files) are missing locking, so concurrent access can lead to corruptions.

In Scope

~~Confirm that PE in the Cloud etc will be leveraging puppet cert command line tools (as opposed to modifying CRL directly or revoking certs via server http api)~~ confirmed
Investigate filesystem-based locking of CRL file in ruby puppet on update
Limited to updates to CRL via the puppet cert CLI

Out of Scope

is duplicated by

PUP-3703 puppca appears to have a race condition on the ca_crl.pem creation with many parallel revocations

relates to

SERVER-115 Concurrent access to the CRL can corrupt it

PUP-1627 Puppet agent's locking is subject to race conditions

SERVER-1999 Investigate puppet server CRL handling for atomicity

mentioned in: Page Loading...; Page Loading...; Page Loading...; Page Loading...

(3 mentioned in)