Class: Puppet::SSL::StateMachine::NeedCRLs
- Defined in:
- lib/puppet/ssl/state_machine.rb
Overview
If revocation is enabled, load CRLs or download them, using the CA bundle from the previous state. Transition to NeedKey. Even if Puppet is leaf or chain, disable revocation when downloading the CRL, since 1) we may not have one yet or 2) the connection will fail if NeedCACerts downloaded a new CA for which we don’t have a CRL
Instance Attribute Summary
Attributes inherited from SSLState
Instance Method Summary collapse
Methods inherited from SSLState
Constructor Details
This class inherits a constructor from Puppet::SSL::StateMachine::SSLState
Instance Method Details
#next_state ⇒ Object
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 |
# File 'lib/puppet/ssl/state_machine.rb', line 66 def next_state Puppet.debug("Loading CRLs") case Puppet[:certificate_revocation] when :chain, :leaf crls = @cert_provider.load_crls if crls next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls) else pem = Puppet::Rest::Routes.get_crls(CA_NAME, @ssl_context) crls = @cert_provider.load_crls_from_pem(pem) # verify crls before saving next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: crls) @cert_provider.save_crls(crls) end else Puppet.info("Certificate revocation is disabled, skipping CRL download") next_ctx = @ssl_provider.create_root_context(cacerts: ssl_context[:cacerts], crls: []) end NeedKey.new(@machine, next_ctx) rescue Puppet::Rest::ResponseError => e if e.response.code.to_i == 404 raise Puppet::Error.new(_('CRL is missing from the server')) else raise Puppet::Error.new(_('Could not download CRLs: %{message}') % { message: e. }, e) end end |