Fixing #1729 - puppetmasterd can now read certs at startup

The main aspect of this solution is to create a site-wide
Puppet::SSL::Host instance to cache ssl key and certificate,
so that by the time we've switched UIDs, we've got the key and
cert in memory.  Then webrick just uses that, rather than creating
a new Host instance.

Signed-off-by: Luke Kanies <luke@madstop.com>

1 files changed, 13 insertions, 1 deletions

diff --git a/bin/puppetmasterd b/bin/puppetmasterd
index 9c3cc168c..47384f261 100755
--- a/bin/puppetmasterd
+++ b/bin/puppetmasterd
@@ -155,6 +155,8 @@ if Puppet.settings.print_configs?
     exit(Puppet.settings.print_configs ? 0 : 1)
 end
 
+Puppet.settings.use :main, :puppetmasterd, :ssl
+
 # A temporary solution, to at least make the master work for now.
 Puppet::Node::Facts.terminus_class = :yaml
 
@@ -164,7 +166,7 @@ Puppet::Node.cache_class = :yaml
 # Configure all of the SSL stuff.
 if Puppet::SSL::CertificateAuthority.ca?
     Puppet::SSL::Host.ca_location = :local
-    Puppet.settings.use :main, :ssl, :ca
+    Puppet.settings.use :ca
     Puppet::SSL::CertificateAuthority.instance
 else
     Puppet::SSL::Host.ca_location = :none
@@ -197,6 +199,16 @@ end
 
 server = Puppet::Network::Server.new(:handlers => rest_handlers, :xmlrpc_handlers => xmlrpc_handlers)
 
+# Make sure we've got a localhost ssl cert
+Puppet::SSL::Host.localhost
+
+# And now configure our server to *only* hit the CA for data, because that's
+# all it will have write access to.
+if Puppet::SSL::CertificateAuthority.ca?
+    Puppet::SSL::Host.ca_location = :only
+    Puppet::SSL::Host.ca_location = :none
+end
+
 if Process.uid == 0
     begin
         Puppet::Util.chuser