Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2641

Backport CRL API serialization

    XMLWordPrintable

Details

    • Froyo
    • Enhancement
    • Hide
      Puppet Server's CA API now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests.

      Note that this does _not_ affect the {{puppet cert}} command. If {{puppet cert revoke}} is used at the same time as a revocation request via the API, the CRL will still be updated simultaneously and could be corrupted.

      We recommend using the {{puppetserver ca}} command line tool -- which utilizes the CA API -- whenever possible to minimize this risk.
      Show
      Puppet Server's CA API now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests. Note that this does _not_ affect the {{puppet cert}} command. If {{puppet cert revoke}} is used at the same time as a revocation request via the API, the CRL will still be updated simultaneously and could be corrupted. We recommend using the {{puppetserver ca}} command line tool -- which utilizes the CA API -- whenever possible to minimize this risk.
    • Needs Assessment

    Description

      For SERVER-115, we implemented a serialization of updates to the CRL from the Clojure CA. This ticket tracks backporting that work to Puppet Server 5 (the PE 2018.1 LTS).

      Note that the solution will be less effective in that stream, because users can still use puppet cert to update the CRL, and those updates are not subject to this locking. Users who experience frequent problems with CRL corruption due to concurrent updates should prefer using the API, either directly or via the puppetserver ca CLI.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. SERVER-115 Concurrent access to the CRL can corrupt it

          • Major - Major loss of function.
          • Resolved

          Activity

            People

              justin Justin Stoller
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support