Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-8652 Agents should be able to use CA and CRL bundles
  3. PUP-8656

Agents should use the CRL bundle to verify the revocation status of their master

    XMLWordPrintable

Details

    • Sub-task
    • Status: Closed
    • Normal
    • Resolution: Fixed
    • None
    • PUP 6.0.0
    • None
    • None
    • Froyo
    • Bug Fix
    • Hide
      With this change - if the user has distributed the CRL chain "out of band" - then the agent will successfully load it and use it to verify its connection to other Puppet infrastructure (for example the master). It expects the CRL chain to be one or more PEM encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat on in our External CA documentation: https://puppet.com/docs/puppet/5.5/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca
      Show
      With this change - if the user has distributed the CRL chain "out of band" - then the agent will successfully load it and use it to verify its connection to other Puppet infrastructure (for example the master). It expects the CRL chain to be one or more PEM encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat on in our External CA documentation: https://puppet.com/docs/puppet/5.5/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca
    • Needs Assessment

    Description

      Once we are correctly saving the CRL bundles, we need to ensure that we're using the whole bundle to verify the credentials of our master. We might get this for free from SSL once we are saving the right data.

      Attachments

        Activity

          People

            justin Justin Stoller
            maggie Maggie Dreyer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Zendesk Support