[SERVER-2943] Allow clj-http-client to optionally load system stores from agent's bundle - Puppet Jira Server

XML

Word

Printable

Details

Type: Task
Status: Resolved
Priority: Normal
Resolution: Duplicate
Affects Version/s: None
Fix Version/s: None
Component/s: None
Labels:
None

Epic Link:
Use System cert store
Team:
Froyo
Story Points:
3
Sprint:
Froyo - 4/27/2022

QA Risk Assessment:
Needs Assessment

Description

Currently, jvm-ssl-utils can only create SSL contexts that have Puppet's internal certs and keys added. Users want to be able to use an SSLContext that also trusts certificates in the system keystore. Puppet's new HTTP client API provides a flag, include_system_store, that should enable this mode.

We need to change the spot where we create our SSL context to optionally allow including certs from the system store (in addition to the Puppet certs). These are installed with puppet-agent as a bundle to /opt/puppetlabs/puppet/ssl/cert.pem. This may or may not require updates to jvm-ssl-utils.

In order to facilitate testing, this should be implemented so that the path to the certs is configurable, and doesn't try to just hard-code the location of the additional certs to be loaded.

Attachments

Issue Links

blocks

SERVER-1543 com.puppetlabs.http.client should allow adding certificates to supplement Puppet CA

Resolved

SERVER-2944 Make puppetserver http client respect `include_system_store` option

Resolved

Activity

People

Assignee:: Justin Stoller

Reporter:: Maggie Dreyer

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2021/01/19 2:48 PM

Updated:: 2022/04/27 10:13 AM

Resolved:: 2022/04/27 10:13 AM