diff options
| author | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-14 16:50:46 +0000 |
|---|---|---|
| committer | lutter <lutter@980ebf18-57e1-0310-9a29-db15c13687c0> | 2006-09-14 16:50:46 +0000 |
| commit | 64eb1e8c37bfc4b35814f3aa58dd497b4bb3d8b7 (patch) | |
| tree | 7a0c1acd64ac30a7afbf6313e425a09d347bd2c3 /lib | |
| parent | 5e2091b1ee3a7ddb601af43254de51b7e0bd24a2 (diff) | |
| download | puppet-64eb1e8c37bfc4b35814f3aa58dd497b4bb3d8b7.tar.gz puppet-64eb1e8c37bfc4b35814f3aa58dd497b4bb3d8b7.tar.xz puppet-64eb1e8c37bfc4b35814f3aa58dd497b4bb3d8b7.zip | |
Let puppetd listen (when given --listen) without a CRL
git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1592 980ebf18-57e1-0310-9a29-db15c13687c0
Diffstat (limited to 'lib')
| -rw-r--r-- | lib/puppet/server.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/sslcertificates/ca.rb | 7 |
2 files changed, 10 insertions, 1 deletions
diff --git a/lib/puppet/server.rb b/lib/puppet/server.rb index 4a949b712..84d2940c3 100644 --- a/lib/puppet/server.rb +++ b/lib/puppet/server.rb @@ -49,6 +49,10 @@ module Puppet # with them, with flags appropriate for checking client # certificates for revocation def x509store + if Puppet[:cacrl] == 'none' + # No CRL, no store needed + return nil + end unless File.exist?(Puppet[:cacrl]) raise Puppet::Error, "Could not find CRL" end diff --git a/lib/puppet/sslcertificates/ca.rb b/lib/puppet/sslcertificates/ca.rb index 283809b51..b1c5b34e6 100644 --- a/lib/puppet/sslcertificates/ca.rb +++ b/lib/puppet/sslcertificates/ca.rb @@ -32,7 +32,7 @@ class Puppet::SSLCertificates::CA :owner => "$user", :group => "$group", :mode => 0664, - :desc => "The certificate revocation list (CRL) for the CA." + :desc => "The certificate revocation list (CRL) for the CA. Set this to 'none' if you do not want to use a CRL." }, :caprivatedir => { :default => "$cadir/private", :owner => "$user", @@ -366,6 +366,9 @@ class Puppet::SSLCertificates::CA # Revoke the certificate with serial number SERIAL issued by this # CA. The REASON must be one of the OpenSSL::OCSP::REVOKED_* reasons def revoke(serial, reason = OpenSSL::OCSP::REVOKED_STATUS_KEYCOMPROMISE) + if @config[:cacrl] == 'none' + raise Puppet::Error, "Revocation requires a CRL, but ca_crl is set to 'none'" + end time = Time.now revoked = OpenSSL::X509::Revoked.new revoked.serial = serial @@ -399,6 +402,8 @@ class Puppet::SSLCertificates::CA @crl = OpenSSL::X509::CRL.new( File.read(@config[:cacrl]) ) + elsif @config[:cacrl] == 'none' + @crl = nil else # Create new CRL @crl = OpenSSL::X509::CRL.new |