Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-1866

Copy cacrl to hostcrl file immediately after cacrl file changes - Server 2.x

    Details

    • Type: Task
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 2.8.0
    • Component/s: None
    • Labels:
    • Template:
    • Team:
      Froyo
    • Story Points:
      3
    • Sprint:
      Platform Core 2017-09-05, Server 2017-07-25, Platform Core 2017-08-08, Platform Core 2017-08-22
    • Release Notes:
      Not Needed
    • QA Risk Assessment:
      Automate

      Description

      When certificate revocation actions are performed on the server, the file corresponding to the Puppet cacrl file is updated. During CA service initialization at the next service startup, there is some logic which copies the cacrl file to the file corresponding to the hostcrl setting. In order to facilitate the ability for the CRL file to be updated at runtime – without requiring a reload / restart of Puppet Server – this ticket proposes the following:

      1) Use the trapperkeeper-filesystem-watcher service to listen for changes to the cacrl file.

      2) On receipt of a change, invoke the logic to copy the content of the cacrl file to the file at the hostcrl setting.

      This ticket would enable the work being done for TK-149 to refresh the CRL file being used by the Jetty webserver at runtime. Note that the work in this ticket would not be particularly useful without the work for TK-149 being in place first, so it would probably be best to start with TK-149.

      As a further optimization, we may consider adding functionality to the trapperkeeper-webserver-jetty9 API which would allow a consuming service like Puppet Server's certificate authority service to prod Jetty's CRL file to be reloaded. This may not be needed, though, if Puppet Server's CA has a listener for updates to the cacrl file and trapperkeeper-webserver-jetty9 has a listener for updates to the file given to it as the ssl-crl-path, which would ideally correspond to the hostcrl setting used by Puppet Server.

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                qa qa
                Reporter:
                jeremy.barlow Jeremy Barlow
              • Votes:
                0 Vote for this issue
                Watchers:
                6 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Zendesk Support