Jira (PUP-8563) The puppet agent should have a 'local' mode for CRL checking

3 views
Skip to first unread message

Branan Riley (JIRA)

unread,
Mar 20, 2018, 5:09:02 PM3/20/18
to puppe...@googlegroups.com
Branan Riley moved an issue
 
Puppet / Bug PUP-8563
The puppet agent should have a 'local' mode for CRL checking
Change By: Branan Riley
Affects Version/s: puppet-agent 5.4.0
Affects Version/s: PUP 5.4.0
Component/s: Security
Key: PA PUP - 1914 8563
Project: Puppet Agent
Add Comment Add Comment
 
This message was sent by Atlassian JIRA (v7.7.1#77002-sha1:e75ca93)
Atlassian logo

Eric Delaney (JIRA)

unread,
Apr 2, 2018, 1:47:04 PM4/2/18
to puppe...@googlegroups.com
Eric Delaney updated an issue
Change By: Eric Delaney
Team: Coremunity

Maggie Dreyer (JIRA)

unread,
May 25, 2018, 12:01:03 PM5/25/18
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Team: Coremunity Server

Maggie Dreyer (JIRA)

unread,
May 25, 2018, 12:01:04 PM5/25/18
to puppe...@googlegroups.com
Maggie Dreyer commented on Bug PUP-8563
 
Re: The puppet agent should have a 'local' mode for CRL checking

I need to verify, but I think the docs may be unclear here. If Puppet detects that it has a CRL file on disk, it will not try to download one, regardless of the value of certificate_revocation. However, this could have implications for SERVER-2174, because in the intermediate CA case, we either need to know how to perform the modified check against the external CA, or we need to be able to disable updating the CRL.

Maggie Dreyer (JIRA)

unread,
May 25, 2018, 12:01:04 PM5/25/18
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Method Found: Needs Assessment Customer Feedback

Maggie Dreyer (JIRA)

unread,
Oct 30, 2018, 2:46:05 PM10/30/18
to puppe...@googlegroups.com
Maggie Dreyer updated an issue
Change By: Maggie Dreyer
Team: Server Coremunity

Josh Cooper (JIRA)

unread,
Feb 21, 2019, 12:43:04 PM2/21/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-8563
 
Re: The puppet agent should have a 'local' mode for CRL checking

Trevor Vaughan are you asking for a way to configure the revocation mode such that if the local CRL on disk doesn't exist, then puppet errors and doesn't try to download it?

If you're ok with the agent downloading a missing CRL, then I agree with Maggie Dreyer that it's how puppet works currently. Though in the future we've talked about having the agent attempt to refresh the CRL periodically, in which case a local mode would mean never refresh.

Josh Cooper (JIRA)

unread,
May 29, 2019, 12:53:04 PM5/29/19
to puppe...@googlegroups.com
Josh Cooper commented on Bug PUP-8563

PUP-2310 introduced the crl_refresh_interval which specifies how frequently to update the CRL. By default it behaves the same as puppet always has. It will download the CRL and never update. I think this ticket is a duplicate because if you place the CRL on the local file system, then puppet will never update the CRL. If I'm misunderstanding please reopen.
Reply all
Reply to author
Forward
0 new messages