The CRL is now automatically used or ignored.

Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.

Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.

4 files changed, 5 insertions, 17 deletions

diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb
index fa604667e..78cf7c47d 100644
--- a/lib/puppet/defaults.rb
+++ b/lib/puppet/defaults.rb
@@ -173,8 +173,6 @@ module Puppet
             If it's anything other than an empty string, it will be used as an alias in the created
             certificate.  By default, only the server gets an alias set up, and only for 'puppet'."],
         :certdir => ["$ssldir/certs", "The certificate directory."],
-        :crl => [true, "Whether to use a certificate revocation list.  If this is set to true and the CRL does not exist,
-            you will get a failure."],
         :ssldir => {
             :default => "$confdir/ssl",
             :mode => 0771,
@@ -251,12 +249,10 @@ module Puppet
             :owner => "$user",
             :group => "$group",
             :mode => 0664,
-            :desc => "The certificate revocation list (CRL) for the CA. You should now set 'crl' to false if you do not want to use a CRL.
-                Only set this to file path.",
+            :desc => "The certificate revocation list (CRL) for the CA. Will be used if present but otherwise ignored.",
             :hook => proc do |value|
                 if value == 'false'
-                    Puppet.warning "Setting the :cacrl to 'false' is deprecated; set :crl to false instead."
-                    Puppet.settings[:crl] = false
+                    Puppet.warning "Setting the :cacrl to 'false' is deprecated; Puppet will just ignore the crl if yours is missing"
                 end
             end
         },
diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb
index 3e7a28598..eacf81ec2 100644
--- a/lib/puppet/network/http/webrick.rb
+++ b/lib/puppet/network/http/webrick.rb
@@ -107,7 +107,7 @@ class Puppet::Network::HTTP::WEBrick
         results[:SSLCACertificateFile] = Puppet[:localcacert]
         results[:SSLVerifyClient] = OpenSSL::SSL::VERIFY_PEER
 
-        results[:SSLCertificateStore] = host.ssl_store if Puppet[:crl]
+        results[:SSLCertificateStore] = host.ssl_store
 
         results
     end
diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb
index 5054c1dbe..cd5d79f0a 100644
--- a/lib/puppet/ssl/certificate_authority.rb
+++ b/lib/puppet/ssl/certificate_authority.rb
@@ -90,12 +90,6 @@ class Puppet::SSL::CertificateAuthority
     # Retrieve (or create, if necessary) the certificate revocation list.
     def crl
         unless defined?(@crl)
-            # The crl is disabled.
-            unless Puppet[:crl]
-                @crl = nil
-                return @crl
-            end
-
             unless @crl = Puppet::SSL::CertificateRevocationList.find("ca")
                 @crl = Puppet::SSL::CertificateRevocationList.new("ca")
                 @crl.generate(host.certificate.content, host.key.content)
diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb
index 105b39dc6..e366bfbdd 100644
--- a/lib/puppet/ssl/host.rb
+++ b/lib/puppet/ssl/host.rb
@@ -173,10 +173,8 @@ class Puppet::SSL::Host
 
         store.add_file(Puppet[:localcacert])
 
-        if Puppet[:crl]
-            unless crl = Puppet::SSL::CertificateRevocationList.find("ca")
-                raise ArgumentError, "Could not find CRL; set 'crl' to 'false' to disable CRL usage"
-            end
+        # If there's a CRL, add it to our store.
+        if crl = Puppet::SSL::CertificateRevocationList.find("ca")
             store.flags = OpenSSL::X509::V_FLAG_CRL_CHECK_ALL|OpenSSL::X509::V_FLAG_CRL_CHECK
             store.add_crl(crl.content)
         end