|
Providing some context about why PR #3247 was closed. Puppet hardcodes the CRL next_update time to be 5 years in the future, see https://github.com/puppetlabs/puppet/blob/3.7.4/lib/puppet/ssl/certificate_revocation_list.rb#L88. With this PR, the puppet agent would not consider its cache to be stale for 5 years, leaving us in effectively the same position we are in today.
If you patched puppet to use a shorter next_update time, or made it configurable, and the agent's CRL expired, then in the common case where no agent certs had been revoked, the agent would download the same CRL it had, discover the CRL is still expired, and hopefully not get into an infinite loop.
So somehow the CRL on the master needs to be updated periodically (to bump the next_update time). AFAIK, the only way to do that from the puppet CLI is to revoke a cert. So you could generate a temp cert, and then revoke it, but that's a bit lame. Ideally, the certificate_revocation application would have an update command that just bumps the next_update time and resigns the CRL.
Also, the CA cert's not_after time is determined by puppet's ca_ttl setting which also defaults to 5 years, see https://github.com/puppetlabs/puppet/blob/3.7.4/lib/puppet/defaults.rb#L962-L967. So we'd need to make sure the CA doesn't expire before the CRL.
Long term we are looking at adding a cert-related CLI to puppetserver and adding OCSP support. /cc Christopher Price, Jeremy Barlow
|
