Uploaded image for project: 'Puppet'
  1. Puppet
  2. PUP-9152

Agents should re-download CRLs when they are newer than the local copy

    Details

    • Type: Story
    • Status: Closed
    • Priority: Normal
    • Resolution: Duplicate
    • Affects Version/s: None
    • Fix Version/s: PUP 6.5.0
    • Component/s: None
    • Labels:
    • QA Risk Assessment:
      Needs Assessment

      Description

      While my agents are running, I expect them to check the CRL to see if it's been updated since the last download, and if so to get the latest one from the CA, so that they can correctly validate that the masters they are talking to are still valid.

      This is mostly relevant for agents talking to compile masters, which also get certificates from the CA. We don't want agents to try to talk to compile masters whose certificates have been revoked.

      See PUP-2310.

      Q: Do CRLs have TTLs that we could respect?
      A: Yes, but it's complicated and we probably should just check last modified.

      Details:

      So the plan going forward will be this (see https://github.com/puppetlabs/puppet/blob/76043d833f70d70fd2b5e3c43f13c5226223d8f9/lib/puppet/ssl/host.rb#L301):

      1.  From from `ssl_store` => `build_ssl_store`=> We will alter the `build_ssl_store` method to ALWAYS call the altered/renamed `download_and_save_crl_bundle` method. 

      2.  That will continue to call the `Puppet::Rest::Routes.get_crls` method, but the `get_crls` method will send a header (ex If-Modified-Since)*containing the last_modified timestamp of the current crl.  The /certificate_revocation_list/name* endpoint on puppetserver will then be altered to either accept a header with the timestamp and,

      • If the If-Modified-Since header  is present AND the timestamp is OLDER than the master's crl, will return the NEW crl to the agent in the response body and 200 response. 
      • If no If-Modified-Since header is included, the endpoint will function the same way as it currently functions.  
      • If the If-Modified-Since header is present AND the timestamp is EQUAL to or NEWER than the master's crl, will return an empty body and something like a 204 response.

      We need to decide if a header or query param is more appropriate for our case. Josh Cooper thoughts on this? See comment below.

      Acceptance Criteria:

      • The certificate_revocation_list/name endpoint on puppetserver continues to function as it always did if no If-Modified-Since header are received.
      • If the If-Modified-Since header  is passed to the above endpoint, it will return a crl if the timestamp provided is OLDER than the master crl file's timestamp.
      • If the If-Modified-Since header  is passed to the above endpoint, it will return an empty body (no crl) if the timestamp provided is EQUAL to or NEWER than the master crl file's timestamp.
      • New endpoint behavior with headers are documented.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                justin Justin Stoller
              • Votes:
                0 Vote for this issue
                Watchers:
                11 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support