Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-346

More surgical update of hostcrl from cacrl setting



    • Bug
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • SERVER 1.0.2
    • None
    • Puppet Server


      It is "possible", although I'm not sure how likely, that the file at the "hostcrl" setting referenced by puppet.conf could have multiple CRLs in it. This could be done to allow clients issued from different CAs to be validated against CRLs which belong to those CAs. If this were the case, the file at the "hostcrl" location might be different from the one at the "cacrl" setting, where the latter one would just be the immediate CRL associated with the Puppet CA's certificate and not a list of CRLs.

      Prior to the work done for SERVER-85, the CRL that the webserver would use, in the event it were not set explicitly in the webserver.conf file, would be the one controlled by the "cacrl" setting. After the work done in SERVER-85, the CRL that the webserver would use would derive from the "hostcrl" setting. In theory, this would allow for the "hostcrl" and "cacrl" to represent different files. The implementation for SERVER-85, however, unconditionally copies the "cacrl" file over the top of the "hostcrl" file - see retrieve-ca-crl! in certificate_authority.clj.

      In order to support the use case of having multiple CRLs for webserver validation in one file but to update the Puppet CA CRL to pick up newly issued CRLs (e.g., with new client certificate revocations), it would be better for the logic in retrieve-ca-crl! to surgically update just the CRL from the "cacrl" file while leaving any other CRLs which might be in the "localcacrl" file alone. The CA Authority Key Identifier (AKI) extension might be a reasonable way to match up the CRLs between the two files as it is intended to be unique per CA.

      The implementation for this wouldn't need to be restricted to the original file at the "hostcrl" setting already having multiple CRLs in it before the synchronization were done. Even if the "hostcrl" file had only one file in it to start and the corresponding "cacrl" file had one or more CRLs in it that were issued from an AKI that is different than the one in the "hostcrl" file, the synchronization process should preserve the original CRL PEM in the "hostcrl" file, adding on the CRL PEMs from the "cacrl" file.


        Issue Links



              Unassigned Unassigned
              jeremy.barlow Jeremy Barlow
              Erik Dasher Erik Dasher
              1 Vote for this issue
              6 Start watching this issue



                Zendesk Support