Class: Puppet::SSL::StateMachine::NeedCACerts

Inherits:

SSLState

• Object
• SSLState
• Puppet::SSL::StateMachine::NeedCACerts

Defined in:

lib/puppet/ssl/state_machine.rb

Overview

Load existing CA certs or download them. Transition to NeedCRLs.

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary

• #initialize(machine) ⇒ NeedCACerts constructor

  A new instance of NeedCACerts.

• #next_state ⇒ Object

Methods inherited from SSLState

#to_error

Constructor Details

#initialize(machine) ⇒ NeedCACerts

Returns a new instance of NeedCACerts.

# File 'lib/puppet/ssl/state_machine.rb', line 35

def initialize(machine)
  super(machine, nil)
  @ssl_context = @ssl_provider.create_insecure_context
end

Instance Method Details

#next_state ⇒ Object

# File 'lib/puppet/ssl/state_machine.rb', line 40

def next_state
  Puppet.debug("Loading CA certs")

  cacerts = @cert_provider.load_cacerts
  if cacerts
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
  else
    route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
    pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
    if @machine.ca_fingerprint
      actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
      expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
      if actual_digest == expected_digest
        Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
                    { digest_type: @machine.digest, actual_digest: actual_digest })
      else
        e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
        return Error.new(@machine, e.message, e)
      end
    end

    cacerts = @cert_provider.load_cacerts_from_pem(pem)    # verify cacerts before saving

    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
    @cert_provider.save_cacerts(cacerts)
  end

  NeedCRLs.new(@machine, next_ctx)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CA certificate is missing from the server'), e)
  else
    to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
  end
end