| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
This patch does two things:
* it enhance puppetca to list revoked certificates (prefixed by -)
* it fixes the ca crl verification which was broken
Signed-off-by: Brice Figureau <brice-puppet@daysofwonder.com>
|
| |
|
|
|
| |
Tests were failing this patch makes the temporary directory in line with other
integration tests.
|
| |
|
|
| |
Signed-off-by: Luke Kanies <luke@madstop.com>
|
| |
|
|
|
| |
This provides a single, global bit for determining whether
a given piece of cached data is still valid.
|
| |
|
|
|
|
|
|
|
| |
Previously, you had to configure whether you wanted the CRL or not,
which resulted in errors all the time when it was configured but
unavailable.
Now, Puppet will always create and try to use it, but you won't
get failures if it's unavailable.
|
| |
|
|
|
|
| |
The server is actually serving REST, but the client can't use
it until we resolve the format and security issues that REST
hasn't yet tackled.
|
| |
|
|
|
|
|
|
|
| |
We can't have the HttpPool class use the Indirector to see
if it has a cert available, because it might be being used to
try to download one, which would cause it to make an http instance,
which would cause it to... Well, you get the idea.
Adding and fixing a few other tests I ran into on the way.
|
| |
|
|
| |
This requires less setup and configuration on the part of the user.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
responsibilities to the SSL::Host class.
I was previously saving invalid CRLs unless they'd had a revocation
done in them; this commit fixes them so that they're always valid.
Also, I've added to SSL::Host the ability to generate a valid
SSL Store, suitable for validation. This is now used by
Webrick and can be used by the http clients, too.
This should have been two commits, but I'm kind of down the
rabbit hole ATM.
|
| |
|
|
|
|
|
| |
I realized that it never made sense to have a CA
that didn't know how to initialize itself, so we
now have a singleton method for the CA, and it also
automatically initializes itself.
|
| |
|
|
|
| |
Now I just need to get xmlrpc working alongside REST in
both mongrel and webrick.
|
| |
|
|
|
| |
It looks like it's not taking the CRL into account, so
I can't seem to actually get a cert to fail verification.
|
| |
|
|
|
|
| |
Certificate revocation now works, the CA knows how
to generate the CRL, and the SSL::Host class knows
how to configure the CRL class for indirection.
|
| |
|
|
|
|
|
|
|
| |
Without this, then you could end up duplicating your CA
key into the normal directory depending on how caching
was set up.
Again, this design aspect isn't the most straightforward,
but at least it's functional now.
|
| |
|
|
|
|
|
|
|
| |
Previously, the class was returning OpenSSL instances
(e.g, OpenSSL::X509::Certificate) instead of Puppet instances
(e.g., Puppet::SSL::Certificate). This made some things
easier, but it made them asymmetric (e.g., you assigned the
key as a Puppet instance but got back an OpenSSL instance), and
it also reduced your flexibility and introspectiveness.
|
|
|
This flushed out some problems, and things mostly look good
now, but I don't think we're quite there yet.
|
