Uploaded image for project: 'Puppet Server'
  1. Puppet Server
  2. SERVER-346

More surgical update of hostcrl from cacrl setting

    XMLWordPrintable

Details

    • Bug
    • Status: Closed
    • Normal
    • Resolution: Won't Fix
    • SERVER 1.0.2
    • None
    • Puppet Server

    Description

      It is "possible", although I'm not sure how likely, that the file at the "hostcrl" setting referenced by puppet.conf could have multiple CRLs in it. This could be done to allow clients issued from different CAs to be validated against CRLs which belong to those CAs. If this were the case, the file at the "hostcrl" location might be different from the one at the "cacrl" setting, where the latter one would just be the immediate CRL associated with the Puppet CA's certificate and not a list of CRLs.

      Prior to the work done for SERVER-85, the CRL that the webserver would use, in the event it were not set explicitly in the webserver.conf file, would be the one controlled by the "cacrl" setting. After the work done in SERVER-85, the CRL that the webserver would use would derive from the "hostcrl" setting. In theory, this would allow for the "hostcrl" and "cacrl" to represent different files. The implementation for SERVER-85, however, unconditionally copies the "cacrl" file over the top of the "hostcrl" file - see retrieve-ca-crl! in certificate_authority.clj.

      In order to support the use case of having multiple CRLs for webserver validation in one file but to update the Puppet CA CRL to pick up newly issued CRLs (e.g., with new client certificate revocations), it would be better for the logic in retrieve-ca-crl! to surgically update just the CRL from the "cacrl" file while leaving any other CRLs which might be in the "localcacrl" file alone. The CA Authority Key Identifier (AKI) extension might be a reasonable way to match up the CRLs between the two files as it is intended to be unique per CA.

      The implementation for this wouldn't need to be restricted to the original file at the "hostcrl" setting already having multiple CRLs in it before the synchronization were done. Even if the "hostcrl" file had only one file in it to start and the corresponding "cacrl" file had one or more CRLs in it that were issued from an AKI that is different than the one in the "hostcrl" file, the synchronization process should preserve the original CRL PEM in the "hostcrl" file, adding on the CRL PEMs from the "cacrl" file.

      Attachments

        Issue Links

          relates to

          Bug - A problem which impairs or prevents the functions of the product. SERVER-345 Fixup usages of cacert / localcacert in master

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Bug - A problem which impairs or prevents the functions of the product. SERVER-1181 check if it's valid to sync cacrl to hostcrl before doing so

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Closed

          Task - A task that needs to be done. SERVER-85 Consider synchronizing hostcrl with cacrl during startup

          • Normal - Regular issue, some loss of functionality under specific circumstances.
          • Closed

          Activity

            People

              Unassigned Unassigned
              jeremy.barlow Jeremy Barlow
              Erik Dasher Erik Dasher
              Votes:
              1 Vote for this issue
              Watchers:
              6 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Zendesk Support