Class: Puppet::SSL::StateMachine::NeedCACerts
- Defined in:
- lib/puppet/ssl/state_machine.rb
Overview
Load existing CA certs or download them. Transition to NeedCRLs.
Instance Attribute Summary
Attributes inherited from SSLState
Instance Method Summary collapse
-
#initialize(machine) ⇒ NeedCACerts
constructor
A new instance of NeedCACerts.
- #next_state ⇒ Object
Methods inherited from SSLState
Constructor Details
#initialize(machine) ⇒ NeedCACerts
35 36 37 38 |
# File 'lib/puppet/ssl/state_machine.rb', line 35 def initialize(machine) super(machine, nil) @ssl_context = @ssl_provider.create_insecure_context end |
Instance Method Details
#next_state ⇒ Object
40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 |
# File 'lib/puppet/ssl/state_machine.rb', line 40 def next_state Puppet.debug("Loading CA certs") cacerts = @cert_provider.load_cacerts if cacerts next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false) else route = @machine.session.route_to(:ca, ssl_context: @ssl_context) pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context) if @machine.ca_fingerprint actual_digest = Puppet::SSL::Digest.new(@machine.digest, pem).to_hex expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase if actual_digest == expected_digest Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest }) else e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest }) return Error.new(@machine, e., e) end end cacerts = @cert_provider.load_cacerts_from_pem(pem) # verify cacerts before saving next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false) @cert_provider.save_cacerts(cacerts) end NeedCRLs.new(@machine, next_ctx) rescue OpenSSL::X509::CertificateError => e Error.new(@machine, e., e) rescue Puppet::HTTP::ResponseError => e if e.response.code == 404 to_error(_('CA certificate is missing from the server'), e) else to_error(_('Could not download CA certificate: %{message}') % { message: e. }, e) end end |