Class: Puppet::SSL::StateMachine::NeedCACerts

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

Load existing CA certs or download them. Transition to NeedCRLs.

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#to_error

Constructor Details

#initialize(machine) ⇒ NeedCACerts 


35
36
37
38
 
# File 'lib/puppet/ssl/state_machine.rb', line 35

def initialize(machine)
  super(machine, nil)
  @ssl_context = @ssl_provider.create_insecure_context
end

Instance Method Details

#next_stateObject 


40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
 
# File 'lib/puppet/ssl/state_machine.rb', line 40

def next_state
  Puppet.debug("Loading CA certs")

  cacerts = @cert_provider.load_cacerts
  if cacerts
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
  else
    route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
    pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
    if @machine.ca_fingerprint
      actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
      expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
      if actual_digest == expected_digest
        Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
                    { digest_type: @machine.digest, actual_digest: actual_digest })
      else
        e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
        return Error.new(@machine, e.message, e)
      end
    end

    cacerts = @cert_provider.load_cacerts_from_pem(pem)
    # verify cacerts before saving
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
    @cert_provider.save_cacerts(cacerts)
  end

  NeedCRLs.new(@machine, next_ctx)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CA certificate is missing from the server'), e)
  else
    to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
  end
end