Class: Puppet::SSL::StateMachine::NeedCert Private

Inherits:
KeySSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Attempt to load or retrieve our signed cert.

Instance Attribute Summary

Attributes inherited from KeySSLState

#private_key

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from KeySSLState

#initialize

Methods inherited from SSLState

#initialize, #to_error

Constructor Details

This class inherits a constructor from Puppet::SSL::StateMachine::KeySSLState

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.


232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
# File 'lib/puppet/ssl/state_machine.rb', line 232

def next_state
  Puppet.debug(_("Downloading client certificate"))

  route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
  cert = OpenSSL::X509::Certificate.new(
    route.get_certificate(Puppet[:certname], ssl_context: @ssl_context)[1]
  )
  Puppet.info _("Downloaded certificate for %{name} from %{url}") % { name: Puppet[:certname], url: route.url }
  # verify client cert before saving
  next_ctx = @ssl_provider.create_context(
    cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
  )
  @cert_provider.save_client_cert(Puppet[:certname], cert)
  @cert_provider.delete_request(Puppet[:certname])
  Done.new(@machine, next_ctx)
rescue Puppet::SSL::SSLError => e
  Error.new(@machine, e.message, e)
rescue OpenSSL::X509::CertificateError => e
  Error.new(@machine, _("Failed to parse certificate: %{message}") % {message: e.message}, e)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    Puppet.info(_("Certificate for %{certname} has not been signed yet") % {certname: Puppet[:certname]})
    $stdout.puts _("Couldn't fetch certificate from CA server; you might still need to sign this agent's certificate (%{name}).") % { name: Puppet[:certname] }
    Wait.new(@machine)
  else
    to_error(_("Failed to retrieve certificate for %{certname}: %{message}") %
             {certname: Puppet[:certname], message: e.response.message}, e)
  end
end