Class: Puppet::SSL::StateMachine::NeedCACerts Private

Inherits:
SSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Load existing CA certs or download them. Transition to NeedCRLs.

Instance Attribute Summary

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from SSLState

#to_error

Constructor Details

#initialize(machine) ⇒ NeedCACerts

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of NeedCACerts.


35
36
37
38
# File 'lib/puppet/ssl/state_machine.rb', line 35

def initialize(machine)
  super(machine, nil)
  @ssl_context = @ssl_provider.create_insecure_context
end

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
# File 'lib/puppet/ssl/state_machine.rb', line 40

def next_state
  Puppet.debug("Loading CA certs")

  cacerts = @cert_provider.load_cacerts
  if cacerts
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
  else
    route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
    _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context)
    if @machine.ca_fingerprint
      actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex
      expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase
      if actual_digest == expected_digest
        Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") %
                    { digest_type: @machine.digest, actual_digest: actual_digest })
      else
        e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest })
        return Error.new(@machine, e.message, e)
      end
    end

    cacerts = @cert_provider.load_cacerts_from_pem(pem)
    # verify cacerts before saving
    next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false)
    @cert_provider.save_cacerts(cacerts)
  end

  NeedCRLs.new(@machine, next_ctx)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, e.message, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    to_error(_('CA certificate is missing from the server'), e)
  else
    to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e)
  end
end