Retrieving the CA certificate before the client certificate.

We have to have a CA cert first, because the host will
start using the client cert as soon as it's available,
but it's not functional without a CA cert.

Also removing extra stupid stuff from wait_for_cert --
the connection is now always recycled, which is much simpler.

Signed-off-by: Luke Kanies <luke@madstop.com>

3 files changed, 38 insertions, 13 deletions

diff --git a/bin/puppetd b/bin/puppetd
index 758494c4f..efd182426 100755
--- a/bin/puppetd
+++ b/bin/puppetd
@@ -350,7 +350,7 @@ end
 
 host = Puppet::SSL::Host.new
 cert = host.wait_for_cert(options[:waitforcert])
-client.recycle_connection if cert == :new
+client.recycle_connection
 
 objects = []
 
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index d3805eb20..a750f3b08 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -137,7 +137,12 @@ class Puppet::SSL::Host
     end
 
     def certificate
-        return nil unless @certificate ||= Certificate.find(name)
+        unless @certificate
+            # get the CA cert first, since it's required for the normal cert
+            # to be of any use.
+            return nil unless Certificate.find("ca") unless ca?
+            @certificate = Certificate.find(name)
+        end
         @certificate
     end
 
@@ -172,6 +177,8 @@ class Puppet::SSL::Host
             @ssl_store = OpenSSL::X509::Store.new
             @ssl_store.purpose = purpose
 
+            # Use the file path here, because we don't want to cause
+            # a lookup in the middle of setting our ssl connection.
             @ssl_store.add_file(Puppet[:localcacert])
 
             # If there's a CRL, add it to our store.
@@ -186,11 +193,11 @@ class Puppet::SSL::Host
 
     # Attempt to retrieve a cert, if we don't already have one.
     def wait_for_cert(time)
-        return :existing if certificate
+        return if certificate
         begin
             generate
 
-            return :new if certificate
+            return if certificate
         rescue StandardError => detail
             Puppet.err "Could not request certificate: %s" % detail.to_s
             if time < 1
@@ -216,7 +223,6 @@ class Puppet::SSL::Host
                 Puppet.err "Could not request certificate: %s" % detail.to_s
             end
         end
-        return :new
     end
 end
 
diff --git a/spec/unit/ssl/host.rb b/spec/unit/ssl/host.rb
index c234585f7..8315689c8 100755
--- a/spec/unit/ssl/host.rb
+++ b/spec/unit/ssl/host.rb
@@ -267,13 +267,37 @@ describe Puppet::SSL::Host do
             @cert = stub 'cert', :content => @realcert
         end
 
+        it "should find the CA certificate if it does not have a certificate" do
+            Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert")
+            Puppet::SSL::Certificate.stubs(:find).with("myname").returns @cert
+
+            @host.certificate
+        end
+
+        it "should not find the CA certificate if it is the CA host" do
+            @host.expects(:ca?).returns true
+            Puppet::SSL::Certificate.stubs(:find)
+            Puppet::SSL::Certificate.expects(:find).with("ca").never
+
+            @host.certificate
+        end
+
+        it "should return nil if it cannot find a CA certificate" do
+            Puppet::SSL::Certificate.expects(:find).with("ca").returns nil
+            Puppet::SSL::Certificate.expects(:find).with("myname").never
+
+            @host.certificate.should be_nil
+        end
+
         it "should find the certificate in the Certificate class and return the Puppet certificate instance" do
+            Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert")
             Puppet::SSL::Certificate.expects(:find).with("myname").returns @cert
 
             @host.certificate.should equal(@cert)
         end
 
         it "should return any previously found certificate" do
+            Puppet::SSL::Certificate.expects(:find).with("ca").returns mock("cacert")
             Puppet::SSL::Certificate.expects(:find).with("myname").returns(@cert).once
 
             @host.certificate.should equal(@cert)
@@ -451,22 +475,17 @@ describe Puppet::SSL::Host do
             @host = Puppet::SSL::Host.new("me")
         end
 
-        it "should return :existing if it already has a certificate" do
-            @host.expects(:certificate).returns "foo"
-            @host.wait_for_cert(0).should == :existing
-        end
-
         it "should generate its certificate request and attempt to read the certificate again if no certificate is found" do
             @host.expects(:certificate).times(2).returns(nil).then.returns "foo"
             @host.expects(:generate)
-            @host.wait_for_cert(1).should == :new
+            @host.wait_for_cert(1)
         end
 
         it "should catch and log errors during CSR saving" do
             @host.expects(:certificate).times(2).returns(nil).then.returns "foo"
             @host.expects(:generate).times(2).raises(RuntimeError).then.returns nil
             @host.stubs(:sleep)
-            @host.wait_for_cert(1).should == :new
+            @host.wait_for_cert(1)
         end
 
         it "should sleep and retry after failures saving the CSR if waitforcert is enabled" do
@@ -498,7 +517,7 @@ describe Puppet::SSL::Host do
 
             @host.expects(:sleep).with(1)
 
-            @host.wait_for_cert(1).should == :new
+            @host.wait_for_cert(1)
         end
 
         it "should catch and log exceptions during certificate retrieval" do