diff options
Diffstat (limited to 'lib/puppet')
| -rw-r--r-- | lib/puppet/defaults.rb | 11 | ||||
| -rw-r--r-- | lib/puppet/network/http/webrick.rb | 4 | ||||
| -rw-r--r-- | lib/puppet/ssl/certificate_authority.rb | 3 | ||||
| -rw-r--r-- | lib/puppet/util/settings.rb | 7 |
4 files changed, 20 insertions, 5 deletions
diff --git a/lib/puppet/defaults.rb b/lib/puppet/defaults.rb index ff302e8db..cbf608cc2 100644 --- a/lib/puppet/defaults.rb +++ b/lib/puppet/defaults.rb @@ -166,6 +166,8 @@ module Puppet If it's anything other than an empty string, it will be used as an alias in the created certificate. By default, only the server gets an alias set up, and only for 'puppet'."], :certdir => ["$ssldir/certs", "The certificate directory."], + :crl => [true, "Whether to use a certificate revocation list. If this is set to true and the CRL does not exist, + you will get a failure."], :publickeydir => ["$ssldir/public_keys", "The public key directory."], :requestdir => ["$ssldir/certificate_requests", "Where host certificate requests are stored."], :privatekeydir => { :default => "$ssldir/private_keys", @@ -236,7 +238,14 @@ module Puppet :owner => "$user", :group => "$group", :mode => 0664, - :desc => "The certificate revocation list (CRL) for the CA. Set this to 'false' if you do not want to use a CRL." + :desc => "The certificate revocation list (CRL) for the CA. You should now set 'crl' to false if you do not want to use a CRL. + Only set this to file path.", + :hook => proc do |value| + if value == 'false' + Puppet.warning "Setting the :cacrl to 'false' is deprecated; set :crl to false instead." + Puppet.settings[:crl] = false + end + end }, :caprivatedir => { :default => "$cadir/private", :owner => "$user", diff --git a/lib/puppet/network/http/webrick.rb b/lib/puppet/network/http/webrick.rb index 8ccf974c6..2b3eace48 100644 --- a/lib/puppet/network/http/webrick.rb +++ b/lib/puppet/network/http/webrick.rb @@ -108,7 +108,7 @@ class Puppet::Network::HTTP::WEBrick # LAK:NOTE I'm not sure why this is this way, actually. results[:SSLCertName] = nil - results[:SSLCertificateStore] = setup_ssl_store if Puppet[:cacrl] != 'false' + results[:SSLCertificateStore] = setup_ssl_store if Puppet[:hostcrl] != 'false' results end @@ -116,7 +116,7 @@ class Puppet::Network::HTTP::WEBrick # Create our Certificate revocation list def setup_ssl_store unless crl = Puppet::SSL::CertificateRevocationList.find("ca") - raise Puppet::Error, "Could not find CRL; set 'cacrl' to 'false' to disable CRL usage" + raise Puppet::Error, "Could not find CRL; set 'hostcrl' to 'false' to disable CRL usage" end store = OpenSSL::X509::Store.new store.purpose = OpenSSL::X509::PURPOSE_ANY diff --git a/lib/puppet/ssl/certificate_authority.rb b/lib/puppet/ssl/certificate_authority.rb index 9b49c5420..42981424e 100644 --- a/lib/puppet/ssl/certificate_authority.rb +++ b/lib/puppet/ssl/certificate_authority.rb @@ -141,7 +141,7 @@ class Puppet::SSL::CertificateAuthority def crl unless defined?(@crl) # The crl is disabled. - if ["false", false].include?(Puppet[:cacrl]) + unless Puppet[:crl] @crl = nil return @crl end @@ -149,6 +149,7 @@ class Puppet::SSL::CertificateAuthority unless @crl = Puppet::SSL::CertificateRevocationList.find("whatever") @crl = Puppet::SSL::CertificateRevocationList.new("whatever") @crl.generate(host.certificate.content) + @crl.save end end @crl diff --git a/lib/puppet/util/settings.rb b/lib/puppet/util/settings.rb index e595e2eea..65668f919 100644 --- a/lib/puppet/util/settings.rb +++ b/lib/puppet/util/settings.rb @@ -585,7 +585,12 @@ Generated on #{Time.now}. catalog.host_config = false catalog.apply do |transaction| if failures = transaction.any_failed? - raise "Could not configure for running; got %s failure(s)" % failures + # LAK:NOTE We should do something like this for some cases, + # since it can otherwise be hard to know what failed. + #transaction.report.logs.find_all { |log| log.level == :err }.each do |log| + # puts log.message + #end + raise "Could not configure myself; got %s failure(s)" % failures end end end |