lib/puppet/ssl/host.rb in puppet-3.1.1 vs lib/puppet/ssl/host.rb in puppet-3.2.0.rc1
- old
+ new
@@ -14,11 +14,14 @@
Certificate = Puppet::SSL::Certificate
CertificateRequest = Puppet::SSL::CertificateRequest
CertificateRevocationList = Puppet::SSL::CertificateRevocationList
extend Puppet::Indirector
- indirects :certificate_status, :terminus_class => :file
+ indirects :certificate_status, :terminus_class => :file, :doc => <<DOC
+ This indirection represents the host that ties a key, certificate, and certificate request together.
+ The indirection key is the certificate CN (generally a hostname).
+DOC
attr_reader :name
attr_accessor :ca
attr_writer :key, :certificate, :certificate_request
@@ -154,24 +157,16 @@
def certificate_request
@certificate_request ||= CertificateRequest.indirection.find(name)
end
- def this_csr_is_for_the_current_host
- name == Puppet[:certname].downcase
- end
-
- def this_csr_is_for_the_current_host
- name == Puppet[:certname].downcase
- end
-
# Our certificate request requires the key but that's all.
def generate_certificate_request(options = {})
generate_key unless key
- # If this is for the current machine...
- if this_csr_is_for_the_current_host
+ # If this CSR is for the current machine...
+ if name == Puppet[:certname].downcase
# ...add our configured dns_alt_names
if Puppet[:dns_alt_names] and Puppet[:dns_alt_names] != ''
options[:dns_alt_names] ||= Puppet[:dns_alt_names]
elsif Puppet::SSL::CertificateAuthority.ca? and fqdn = Facter.value(:fqdn) and domain = Facter.value(:domain)
options[:dns_alt_names] = "puppet, #{fqdn}, puppet.#{domain}"
@@ -255,14 +250,16 @@
# Use the file path here, because we don't want to cause
# a lookup in the middle of setting our ssl connection.
@ssl_store.add_file(Puppet[:localcacert])
- # If there's a CRL, add it to our store.
- if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
- @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK if Puppet.settings[:certificate_revocation]
- @ssl_store.add_crl(crl.content)
+ # If we're doing revocation and there's a CRL, add it to our store.
+ if Puppet.settings[:certificate_revocation]
+ if crl = Puppet::SSL::CertificateRevocationList.indirection.find(CA_NAME)
+ @ssl_store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
+ @ssl_store.add_crl(crl.content)
+ end
end
return @ssl_store
end
@ssl_store
end
@@ -282,29 +279,29 @@
# we should deprecate it and transition people to using
# pson[:fingerprints][:default]
# It appears that we have no internal consumers of this api
# --jeffweiss 30 aug 2012
pson_hash[:fingerprint] = thing_to_use.fingerprint
-
+
# The above fingerprint doesn't tell us what message digest algorithm was used
# No problem, except that the default is changing between 2.7 and 3.0. Also, as
# we move to FIPS 140-2 compliance, MD5 is no longer allowed (and, gasp, will
# segfault in rubies older than 1.9.3)
# So, when we add the newer fingerprints, we're explicit about the hashing
# algorithm used.
# --jeffweiss 31 july 2012
pson_hash[:fingerprints] = {}
pson_hash[:fingerprints][:default] = thing_to_use.fingerprint
-
- suitable_message_digest_algorithms.each do |md|
+
+ suitable_message_digest_algorithms.each do |md|
pson_hash[:fingerprints][md] = thing_to_use.fingerprint md
end
pson_hash[:dns_alt_names] = thing_to_use.subject_alt_names
pson_hash.to_pson(*args)
end
-
+
# eventually we'll probably want to move this somewhere else or make it
# configurable
# --jeffweiss 29 aug 2012
def suitable_message_digest_algorithms
[:SHA1, :SHA256, :SHA512]
@@ -317,11 +314,11 @@
generate
return if certificate
rescue SystemExit,NoMemoryError
raise
rescue Exception => detail
- Puppet.log_exception(detail, "Could not request certificate: #{detail}")
+ Puppet.log_exception(detail, "Could not request certificate: #{detail.message}")
if time < 1
puts "Exiting; failed to retrieve certificate and waitforcert is disabled"
exit(1)
else
sleep(time)
@@ -338,10 +335,10 @@
sleep time
begin
break if certificate
Puppet.notice "Did not receive certificate"
rescue StandardError => detail
- Puppet.log_exception(detail, "Could not request certificate: #{detail}")
+ Puppet.log_exception(detail, "Could not request certificate: #{detail.message}")
end
end
end
def state