Class: Puppet::SSL::StateMachine::NeedCACerts Private

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Load existing CA certs or download them. Transition to NeedCRLs.

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#log_error, #to_error

Constructor Details

#initialize(machine) ⇒ NeedCACerts

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of NeedCACerts.



46
47
48
49
 
# File 'lib/puppet/ssl/state_machine.rb', line 46

def initialize(machine)
  super(machine, nil)
  @ssl_context = @ssl_provider.create_insecure_context
end

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
 
# File 'lib/puppet/ssl/state_machine.rb', line 51

def next_state
  Puppet.debug("Loading CA certs")

  force_crl_refresh = false

  cacerts = @cert_provider.load_cacerts
  if cacerts
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)

    now = Time.now
    last_update = @cert_provider.ca_last_update
    if needs_refresh?(now, last_update)
      # If we refresh the CA, then we need to force the CRL to be refreshed too,
      # since if there is a new CA in the chain, then we need its CRL to check
      # the full chain for revocation status.
      next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update)
    end
  else
    route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
    _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
    if @machine.ca_fingerprint
      actual_digest = @machine.digest_as_hex(pem)
      expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
      if actual_digest == expected_digest
        Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
                    { digest_type: @machine.digest, actual_digest: actual_digest })
      else
        e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
        return Error.new(@machine, e.message, e)
      end
    end

    cacerts = @cert_provider.load_cacerts_from_pem(pem)
    # verify cacerts before saving
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
    @cert_provider.save_cacerts(cacerts)
  end

  NeedCRLs.new(@machine, next_ctx, force_crl_refresh)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CA certificate is missing from the server'), e)
  else
    to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
  end
end