[PUP-8656] Agents should use the CRL bundle to verify the revocation status of their master - Puppet Tickets

Details

Type: Sub-task
Status: Closed
Priority: Normal
Resolution: Fixed
Affects Version/s: None
Fix Version/s: PUP 6.0.0
Component/s: None
Labels:
None

Template:
customfield_10700 244658
Team:
Server

Release Notes:
Bug Fix
Release Notes Summary:

Hide
With this change - if the user has distributed the CRL chain "out of band" - then the agent will successfully load it and use it to verify its connection to other Puppet infrastructure (for example the master). It expects the CRL chain to be one or more PEM encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat on in our External CA documentation: https://puppet.com/docs/puppet/5.5/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca

Show
With this change - if the user has distributed the CRL chain "out of band" - then the agent will successfully load it and use it to verify its connection to other Puppet infrastructure (for example the master). It expects the CRL chain to be one or more PEM encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat on in our External CA documentation: https://puppet.com/docs/puppet/5.5/config_ssl_external_ca.html#option-2-puppet-server-functioning-as-an-intermediate-ca

QA Risk Assessment:
Needs Assessment

Description

Once we are correctly saving the CRL bundles, we need to ensure that we're using the whole bundle to verify the credentials of our master. We might get this for free from SSL once we are saving the right data.

Attachments

Activity

People

Assignee:

Justin Stoller

Reporter:

Maggie Dreyer

Votes:

0 Vote for this issue

Watchers:

2 Start watching this issue

Dates

Created:

2018/04/06 12:19 PM

Updated:

2018/09/19 12:32 PM

Resolved:

2018/05/03 1:56 PM