[PA-73] Update ca-certs component to include gandi.net certs and rubygems root ca cert Created: 2015/08/25  Updated: 2016/02/02  Resolved: 2015/11/18

Status: Closed
Project: Puppet Agent
Component/s: None
Affects Version/s: None
Fix Version/s: puppet-agent 1.3.0

Type: Task Priority: Normal
Reporter: Past Haus Assignee: Ryan McKern
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
relates to PA-95 DigiCert Global Root cert missing in ... Closed
relates to PA-101 AIO's OpenSSL cannot make SSL connect... Closed
relates to PUP-3450 The module tool should embed and use ... Closed
Epic Link: PE should ship the certs required for the forge/other PL infra (only)
Story Points: 2
Sprint: RE 2015-09-09, RE 2015-09-23, RE 2015-10-07
Release Notes: New Feature
Release Notes Summary: Previously, puppet-agent on several platforms, e.g. Solaris, AIX, EL4, etc was unable to connect to the forge or rubygems due to not having local trusted certificate authorities to compare against. The puppet-agent package now includes a select number of CA certificates that allow puppet to make secure authenticated SSL connections, for example when using the puppet module tool to connect to the forge on OSX. This changes affects all puppet-agent platforms except Windows.


In order to ensure that the puppet agent can still connect to the forge even if the ssl cert is changed for platforms such as osx, aix and solaris we should update the ca-cert component to include likely future certs, which OPS has zipped up in OPS-6537.

Comment by Past Haus [ 2015/08/25 ]

This could be adding each of the certs in the zip as a source to the ca-certs component and catting them all together in the build.

Comment by Ryan McKern [ 2015/09/01 ]

Verified that concatenating these together works as expected against forge.puppetlabs.com.

Comment by Ryan McKern [ 2015/10/01 ]

The use of the puppet-ca-bundle repo has been merged into the master branch of puppet-agent, and is tentatively scheduled for the 1.3.0 release of puppet-agent

Comment by Ryan McKern [ 2015/10/05 ]

This has made it through numerous puppet-agent builds

Generated at Wed Sep 30 00:33:16 PDT 2020 using Jira 8.5.2#805002-sha1:a66f9354b9e12ac788984e5d84669c903a370049.