Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2424

CA CLI tool action for bootstrapping infra-crl


    • Type: Task
    • Status: Closed
    • Priority: Normal
    • Resolution: Fixed
    • Affects Version/s: None
    • Fix Version/s: SERVER 6.0.z, SERVER 6.y
    • Component/s: None
    • Labels:
    • Template:
    • Team:
    • QA Risk Assessment:
      Needs Assessment


      When enabling the infra-crl functionality, puppetserver expects three additional files to be present in order for the server to start: and inventory of the certnames of nodes considered to be "infrastructure", a map of those names to their serial numbers, and a CRL containing only the revocations from that list of nodes. These files will be generated automatically in call cases by puppetserver ca setup and puppetserver ca import, but in Puppet Server's bootstrapping code, only if the setting is enabled the first time the server is started (it generates them along with the rest of the CA). Likewise, pre-6 versions of Puppet Server will not generate them at all, in FOSS or PE.

      This means that enabling this setting by default in PE will cause Puppet Server to fail to start either when upgrading from 2018.1 to 2019.0+, because the expected files do not exist. Likewise, a FOSS user toggling the setting to "on" would have to manually generate all three files before starting the server, not just the inventory file as documented.

      In PE, we manage the creation of the inventory file. In FOSS, we expect users to populate it themselves. We should add an action the CA CLI that generates the other two files based on it, creating the mapping of certnames to serial numbers, and generating a new, empty CRL based on the chain of the existing full CRL.




            • Assignee:
              maggie Maggie Dreyer
              maggie Maggie Dreyer
            • Votes:
              0 Vote for this issue
              2 Start watching this issue


              • Created:

                Zendesk Support