From 7fdf2bb23fbc5a3cb2468fb6b980eaf556d29c64 Mon Sep 17 00:00:00 2001 From: Luke Kanies Date: Mon, 3 Nov 2008 22:05:20 -0600 Subject: Retrieving the CA certificate before the client certificate. We have to have a CA cert first, because the host will start using the client cert as soon as it's available, but it's not functional without a CA cert. Also removing extra stupid stuff from wait_for_cert -- the connection is now always recycled, which is much simpler. Signed-off-by: Luke Kanies --- lib/puppet/ssl/host.rb | 14 ++++++++++---- 1 file changed, 10 insertions(+), 4 deletions(-) (limited to 'lib') diff --git a/lib/puppet/ssl/host.rb b/lib/puppet/ssl/host.rb index d3805eb20..a750f3b08 100644 --- a/lib/puppet/ssl/host.rb +++ b/lib/puppet/ssl/host.rb @@ -137,7 +137,12 @@ class Puppet::SSL::Host end def certificate - return nil unless @certificate ||= Certificate.find(name) + unless @certificate + # get the CA cert first, since it's required for the normal cert + # to be of any use. + return nil unless Certificate.find("ca") unless ca? + @certificate = Certificate.find(name) + end @certificate end @@ -172,6 +177,8 @@ class Puppet::SSL::Host @ssl_store = OpenSSL::X509::Store.new @ssl_store.purpose = purpose + # Use the file path here, because we don't want to cause + # a lookup in the middle of setting our ssl connection. @ssl_store.add_file(Puppet[:localcacert]) # If there's a CRL, add it to our store. @@ -186,11 +193,11 @@ class Puppet::SSL::Host # Attempt to retrieve a cert, if we don't already have one. def wait_for_cert(time) - return :existing if certificate + return if certificate begin generate - return :new if certificate + return if certificate rescue StandardError => detail Puppet.err "Could not request certificate: %s" % detail.to_s if time < 1 @@ -216,7 +223,6 @@ class Puppet::SSL::Host Puppet.err "Could not request certificate: %s" % detail.to_s end end - return :new end end -- cgit