Class: Puppet::SSL::StateMachine::NeedCACerts Private

Inherits:

Object
SSLState
Puppet::SSL::StateMachine::NeedCACerts

Defined in:: lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Load existing CA certs or download them. Transition to NeedCRLs.

Instance Attribute Summary

Attributes inherited from SSLState

Instance Method Summary collapse

#initialize(machine) ⇒ NeedCACerts constructor private

A new instance of NeedCACerts.
#next_state ⇒ Object private

Methods inherited from SSLState

#log_error, #to_error

Constructor Details

#initialize(machine) ⇒ `NeedCACerts`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

Returns a new instance of NeedCACerts.

 46 47 48 49

# File 'lib/puppet/ssl/state_machine.rb', line 46 def initialize(machine) super(machine, nil) @ssl_context = @ssl_provider.create_insecure_context end

Instance Method Details

#next_state ⇒ `Object`

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.

 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98

# File 'lib/puppet/ssl/state_machine.rb', line 51 def next_state Puppet.debug("Loading CA certs") force_crl_refresh = false cacerts = @cert_provider.load_cacerts if cacerts next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false) now = Time.now last_update = @cert_provider.ca_last_update if needs_refresh?(now, last_update) # If we refresh the CA, then we need to force the CRL to be refreshed too,  # since if there is a new CA in the chain, then we need its CRL to check  # the full chain for revocation status.  next_ctx, force_crl_refresh = refresh_ca(next_ctx, last_update) end else route = @machine.session.route_to(:ca, ssl_context: @ssl_context) _, pem = route.get_certificate(Puppet::SSL::CA_NAME, ssl_context: @ssl_context) if @machine.ca_fingerprint actual_digest = @machine.digest_as_hex(pem) expected_digest = @machine.ca_fingerprint.scan(/../).join(':').upcase if actual_digest == expected_digest Puppet.info(_("Verified CA bundle with digest (%{digest_type}) %{actual_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest }) else e = Puppet::Error.new(_("CA bundle with digest (%{digest_type}) %{actual_digest} did not match expected digest %{expected_digest}") % { digest_type: @machine.digest, actual_digest: actual_digest, expected_digest: expected_digest }) return Error.new(@machine, e.message, e) end end cacerts = @cert_provider.load_cacerts_from_pem(pem) # verify cacerts before saving  next_ctx = @ssl_provider.create_root_context(cacerts: cacerts, revocation: false) @cert_provider.save_cacerts(cacerts) end NeedCRLs.new(@machine, next_ctx, force_crl_refresh) rescue OpenSSL::X509::CertificateError => e Error.new(@machine, e.message, e) rescue Puppet::HTTP::ResponseError => e if e.response.code == 404 to_error(_('CA certificate is missing from the server'), e) else to_error(_('Could not download CA certificate: %{message}') % { message: e.message }, e) end end