Class: Puppet::SSL::StateMachine::NeedCert Private

Inherits:
KeySSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Attempt to load or retrieve our signed cert.

Instance Attribute Summary

Attributes inherited from KeySSLState

#private_key

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from KeySSLState

#initialize

Methods inherited from SSLState

#initialize, #log_error, #to_error

Constructor Details

This class inherits a constructor from Puppet::SSL::StateMachine::KeySSLState

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future. 



335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
 
# File 'lib/puppet/ssl/state_machine.rb', line 335

def next_state
  Puppet.debug(_("Downloading client certificate"))

  route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
  cert = OpenSSL::X509::Certificate.new(
    route.get_certificate(Puppet[:certname], ssl_context: @ssl_context)[1]
  )
  Puppet.info _("Downloaded certificate for %{name} from %{url}") % { name: Puppet[:certname], url: route.url }
  # verify client cert before saving
  next_ctx = @ssl_provider.create_context(
    cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
  )
  @cert_provider.save_client_cert(Puppet[:certname], cert)
  @cert_provider.delete_request(Puppet[:certname])
  Done.new(@machine, next_ctx)
rescue Puppet::SSL::SSLError => e
  Error.new(@machine, e.message, e)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, _("Failed to parse certificate: %{message}") % { message: e.message }, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    Puppet.info(_("Certificate for %{certname} has not been signed yet") % { certname: Puppet[:certname] })
    $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
    Wait.new(@machine)
  else
    to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
             { certname: Puppet[:certname], message: e.response.message }, e)
  end
end