Class: Puppet::SSL::StateMachine::NeedCRLs
- Defined in:
- lib/puppet/ssl/state_machine.rb
Overview
If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don’t have a CRL
Instance Attribute Summary
Attributes inherited from SSLState
Instance Method Summary collapse
Methods inherited from SSLState
Constructor Details
This class inherits a constructor from Puppet::SSL::StateMachine::SSLState
Instance Method Details
#next_state ⇒ Object
86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 |
# File 'lib/puppet/ssl/state_machine.rb', line 86 def next_state Puppet.debug("Loading CRLs") case Puppet[:certificate_revocation] when :chain, :leaf crls = @cert_provider.load_crls if crls next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls) crl_ttl = Puppet[:crl_refresh_interval] if crl_ttl last_update = @cert_provider.crl_last_update now = Time.now if last_update.nil? || now.to_i > last_update.to_i + crl_ttl # set last updated time first, then make a best effort to refresh @cert_provider.crl_last_update = now next_ctx = refresh_crl(next_ctx, last_update) end end else next_ctx = download_crl(@ssl_context, nil) end else Puppet.info("Certificate revocation is disabled, skipping CRL download") next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: []) end NeedKey.new(@machine, next_ctx) rescue OpenSSL::X509::CRLError => e Error.new(@machine, e., e) rescue Puppet::HTTP::ResponseError => e if e.response.code == 404 to_error(_('CRL is missing from the server'), e) else to_error(_('Could not download CRLs: %{message}') % { message: e. }, e) end end |