Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-2641

Backport CRL API serialization

    XMLWordPrintable

    Details

    • Template:
    • Team:
      Froyo
    • Release Notes:
      Enhancement
    • Release Notes Summary:
      Hide
      Puppet Server's CA API now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests.

      Note that this does _not_ affect the {{puppet cert}} command. If {{puppet cert revoke}} is used at the same time as a revocation request via the API, the CRL will still be updated simultaneously and could be corrupted.

      We recommend using the {{puppetserver ca}} command line tool -- which utilizes the CA API -- whenever possible to minimize this risk.
      Show
      Puppet Server's CA API now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests. Note that this does _not_ affect the {{puppet cert}} command. If {{puppet cert revoke}} is used at the same time as a revocation request via the API, the CRL will still be updated simultaneously and could be corrupted. We recommend using the {{puppetserver ca}} command line tool -- which utilizes the CA API -- whenever possible to minimize this risk.
    • QA Risk Assessment:
      Needs Assessment

      Description

      For SERVER-115, we implemented a serialization of updates to the CRL from the Clojure CA. This ticket tracks backporting that work to Puppet Server 5 (the PE 2018.1 LTS).

      Note that the solution will be less effective in that stream, because users can still use puppet cert to update the CRL, and those updates are not subject to this locking. Users who experience frequent problems with CRL corruption due to concurrent updates should prefer using the API, either directly or via the puppetserver ca CLI.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              justin Justin Stoller
              Reporter:
              maggie Maggie Dreyer
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Zendesk Support