Agents should be able to use CA and CRL bundles (PUP-8652)

[PUP-8656] Agents should use the CRL bundle to verify the revocation status of their master Created: 2018/04/06  Updated: 2018/09/19  Resolved: 2018/05/03

Status: Closed
Project: Puppet
Component/s: None
Affects Version/s: None
Fix Version/s: PUP 6.0.0

Type: Sub-task Priority: Normal
Reporter: Maggie Dreyer Assignee: Justin Stoller
Resolution: Fixed Votes: 0
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Team: Server
Release Notes: Bug Fix
Release Notes Summary: With this change - if the user has distributed the CRL chain "out of band" - then the agent will successfully load it and use it to verify its connection to other Puppet infrastructure (for example the master). It expects the CRL chain to be one or more PEM encoded CRLs concatenated together (the same format as a cert bundle). This fixes the "Agent-side CRL checking is not possible" caveat on in our External CA documentation:
QA Risk Assessment: Needs Assessment


Once we are correctly saving the CRL bundles, we need to ensure that we're using the whole bundle to verify the credentials of our master. We might get this for free from SSL once we are saving the right data.

Comment by Justin Stoller [ 2018/05/03 ]

Passed CI here:

Generated at Sat May 25 18:34:01 PDT 2019 using JIRA 7.7.1#77002-sha1:e75ca93d5574d9409c0630b81c894d9065296414.