summaryrefslogtreecommitdiffstats
path: root/lib/puppet/sslcertificates/ca.rb
Commit message (Collapse)AuthorAgeFilesLines
* Fix for #2890 (the cached certificates that would not die)Markus Roberts2009-12-191-5/+6
| | | | | | | | | | | | | | | | | | | | | | | | | This patch implements the two-part suggestion from the ticket; 1) a client that receives a certificate that doesn't match its current private key does not accept, store or use the certificate--instead it removes any locally cached copies and acts as if the certificate had never been found. 2) a puppetmaster that receives a csr from a client for whom it already has a signed certificate now honors the request and considers it to supercede any previously signed certificates. In order to make the cache expiration work as expected, I changed a few assumptions in the caching system: * The expiration of a cached certificate is the earlier of the envelope expiration and the certificate's expiration, as opposed to just overriding the cache value * Telling the cache to expire an item now removes it from the cache if possible, rather than just setting an expiration date in the past and hoping that somebody notices. Signed-off-by: Markus Roberts <Markus@reality.com>
* Possible workaround for #2824 (MRI GC bug)Markus Roberts2009-11-191-2/+2
| | | | | | | | | | | | | | | | | | | This is a moderately ugly workaround for the MRI garbage collection bug (see the ticket for details). I explored several other potential solutions (notably, monkey patching the routines that trigger the bug) but none of them were satisfactory. Monkey patching sub, gsub, sub!, gsub!, etc., for example, either changes the scoping of $~, $1, etc. in a way that could potentially subtly change the meaning of programs or (if you are clever) faithfully reproduces the behaviour of MRI--including the memory leak. I decided to go with the standardized and somewhat obnoxious never- used optional argument as it was easy to automatically insert and should be even easier to automatically find and remove if a better fix is developed. It also should be obtrusive enough to escape accidental removal in refactoring.
* Re-fixed #2750 - Stop disabling the CRL or checking for a disabled CRLJohn A. Barbuto2009-10-271-5/+0
| | | | | | This was deprecated in commit 1cfb0215 and was keeping puppetd from starting in listen mode. Signed-off-by: John A. Barbuto <jbarbuto@corp.sourceforge.com>
* Removed extra whitespace from end of linesIan Taylor2009-06-061-15/+15
|
* Updated fix for ticket #1271James Turnbull2008-05-311-1/+1
|
* Applied patch for ticket #1271James Turnbull2008-05-301-3/+8
|
* Ticket #1041Andrew Shafer2008-03-051-29/+1
| | | | | | | | | | The CA serial file was getting owned by root because it was using a different method to write to file Pulled the readwritelock out of lib/puppet/sslcertificates/ca.rb into lib/puppet/util/settings.rb Refactored write, writesub and readwritelock a bit to reuse code (write and readwritelock both call writesub) Added a mode to :serial in lib/puppet/util/defaults.rb
* Applying patch by Jay to fix #989 -- missing crl files areLuke Kanies2008-02-071-3/+3
| | | | | correctly ignored, and you now use 'false' instead of 'none' to explicitly ignore them.
* Adding what is hopefully the last commit for #896. Here's theLuke Kanies2007-12-111-1/+0
| | | | | | | | | | | | | | changelog: Modifying the behaviour of the certdnsnames setting. It now defaults to an empty string, and will only be used if it is set to something else. If it is set, then the host's FQDN will also be added as an alias. The default behaviour is now to add 'puppet' and 'puppet.$domain' as DNS aliases when the name for the cert being signed is equal to the signing machine's name, which will only be the case for CA servers. This should result in servers always having the alias set up and no one else, but you can still override the aliases if you want.
* Applying patches from #823 by wyvernLuke Kanies2007-11-271-0/+10
|
* Fixing #896 by applying DerekW's patches, with slightLuke Kanies2007-11-191-0/+1
| | | | modifications to fit coding style.
* Removing the Id tags from all of the filesLuke Kanies2007-10-031-1/+0
|
* Renaming the 'Puppet::Util::Config' class toLuke Kanies2007-09-221-9/+9
| | | | | | | 'Puppet::Util::Settings'. This is to clear up confusion caused by the fact that we now have a 'Configuration' class to model host configurations, or any set of resources as a "configuration".
* Fixed CA race condition (#693)Michael V. O'Brien2007-08-221-5/+37
|
* Consolidating all of the configuration parameter declarations into ↵luke2007-05-041-78/+1
| | | | | | configuration, at least partially just because then the docs for each parameter have to be a bit better. Also, I have gotten rid of the "puppet" section, replacing it with "main", and changed, added, or removed a couple of other sections. In general, we should now prefer more sections, rather than fewer. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2463 980ebf18-57e1-0310-9a29-db15c13687c0
* Merging the webserver_portability branch from version 2182 to version 2258.luke2007-03-061-3/+1
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2259 980ebf18-57e1-0310-9a29-db15c13687c0
* Fixing #142. As expected, trivial.luke2007-02-271-0/+3
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2232 980ebf18-57e1-0310-9a29-db15c13687c0
* Change Puppet.name to Puppet.execname so rails 1.2 won't freak out.shadoi2007-02-161-1/+1
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2202 980ebf18-57e1-0310-9a29-db15c13687c0
* Moving some of the stand-alone classes into the util/ subdirectory, to clean ↵luke2007-02-071-1/+1
| | | | | | up the top-level namespace a bit. This is a lot of file modifications, but most of them just change class names and file paths. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2178 980ebf18-57e1-0310-9a29-db15c13687c0
* Moving the switch that disables the certificate authority into the main ↵luke2007-01-301-0/+2
| | | | | | library, so they can be disabled in the configuration file. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@2118 980ebf18-57e1-0310-9a29-db15c13687c0
* Closing #362. Case-insensitivity is handled by downcasing all host names.luke2006-12-271-52/+54
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1971 980ebf18-57e1-0310-9a29-db15c13687c0
* + Puppet::SUIDManager - This replaces all calls to the built-in ruby ↵erikh2006-09-221-1/+1
| | | | | | | | | | | 'Process' library for uid/gid/euid/egid operations, including (not surprisingly) Puppet::Util#asuser and a method to run commands and capture output. This is due to many inconsistencies (through bugfixes) between ruby versions in the 1.8.x branch. This is included in the core puppet library and can be used by all puppet types and providers. ! Modified Puppet::Util#uid to check (and warn) if passed a nil value. ! Changes to use Puppet::SUIDManager instead of Process and relevant Puppet::Util calls. ! Removed Puppet::Util#asuser. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1666 980ebf18-57e1-0310-9a29-db15c13687c0
* Let puppetd listen (when given --listen) without a CRLlutter2006-09-141-1/+6
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1592 980ebf18-57e1-0310-9a29-db15c13687c0
* Add config parameter ca_ttl and deprecate ca_days; ca_ttl makes it possible ↵lutter2006-09-131-3/+44
| | | | | | to generate certs that are valid for < 1 day git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1581 980ebf18-57e1-0310-9a29-db15c13687c0
* Changing autosign mode to 644luke2006-08-291-1/+1
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1510 980ebf18-57e1-0310-9a29-db15c13687c0
* Certificate revocation through puppetca. Keep a simple text inventory of all ↵lutter2006-08-231-0/+1
| | | | | | certificates ever issued. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1485 980ebf18-57e1-0310-9a29-db15c13687c0
* Support for certificate revocation and checking connections on the server ↵lutter2006-08-211-27/+80
| | | | | | against the CRL git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1475 980ebf18-57e1-0310-9a29-db15c13687c0
* Adding in all of the patches necessary to make a prototype rails interface ↵luke2006-04-281-1/+5
| | | | | | to puppet nodes work. The biggest change is that there is now a separate NetworkClient class for every Client subclass, because otherwise you get namespace collisions. Most everything other change is a relatively minor patch. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1145 980ebf18-57e1-0310-9a29-db15c13687c0
* adding "clean" mode to puppetcaluke2006-04-261-0/+20
| | | | git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1140 980ebf18-57e1-0310-9a29-db15c13687c0
* Fixing #118; the hash is now always 8 hex characters, 0-padded. Also ↵luke2006-04-191-1/+6
| | | | | | changed the CA cert name to the FQDN of the host serving the CA, rather than "CAcert". git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1117 980ebf18-57e1-0310-9a29-db15c13687c0
* Fixing a bunch of small bugs, mostly found by testing on solaris, and added ↵luke2006-04-171-2/+2
| | | | | | a check to the test system that points out memory growth git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1113 980ebf18-57e1-0310-9a29-db15c13687c0
* Fixing puppetca so it does not call chuser; instead, it is configured to ↵luke2006-04-121-16/+18
| | | | | | create all of the files with the correct permissions and ownership (using Config#write and Config#writesub). git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1111 980ebf18-57e1-0310-9a29-db15c13687c0
* Added a test for Type#remove, and fixed the method so it actually works. I ↵luke2006-04-021-17/+42
| | | | | | was missing every other object, because i was iterating over the array being modified. This caused the Config stuff to often fail, because objects were not correctly being removed. All fixed now, though. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@1053 980ebf18-57e1-0310-9a29-db15c13687c0
* Okay, Puppet is now almost entirely capable of configuring itself. I have ↵luke2006-03-021-25/+37
| | | | | | not yet added the extra tests to puppetmasterd to make sure it can start as a normal user, and the executables still fail some simple tests because they are producing output when they start (I will get rid of the output), but overall things look pretty good. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@965 980ebf18-57e1-0310-9a29-db15c13687c0
* Changing the setdefaults input format somewhat. It is always a hash of some ↵luke2006-03-011-19/+19
| | | | | | kind now. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@962 980ebf18-57e1-0310-9a29-db15c13687c0
* Making the language name a real alias. Now all objects in Puppet support ↵luke2006-02-101-2/+0
| | | | | | specifying both the name and the namevar, or just a name and having the namevar set. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@896 980ebf18-57e1-0310-9a29-db15c13687c0
* There is now full support for configuration files, and the entire system has ↵luke2006-02-071-65/+45
| | | | | | been modified to expect their new behaviour. I have not yet run the test across all test hosts, though. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@873 980ebf18-57e1-0310-9a29-db15c13687c0
* Configuration parameters now require (and have) descriptions, and a set of ↵luke2006-02-071-47/+72
| | | | | | configuration parameters can be converted to a configuration file, a manifest, or a component. All I have to do now is integrate them into the executables. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@872 980ebf18-57e1-0310-9a29-db15c13687c0
* Adding the event-loop stuff to the repository and switching to using it. ↵luke2006-01-241-0/+286
Also, breaking many classes out into their own class files. git-svn-id: https://reductivelabs.com/svn/puppet/trunk@848 980ebf18-57e1-0310-9a29-db15c13687c0
generated by cgit (git 2.34.1) at 2025-09-26 12:12:13 +0000