In puppet 7, the agent prints the authorityKeyIdentifier for each CRL like:
Debug: Using CRL 'CN=Puppet CA: <fqdn>' authorityKeyIdentifier 'keyid:2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5' crlNumber '0'
In puppet 8 with openssl 3, it's missing:
Debug: Using CRL 'CN=Puppet CA: <fqdn>' authorityKeyIdentifier '' crlNumber '0'
Something is not right with the way the ruby bindings retrieve the CRL extensions in https://github.com/puppetlabs/puppet/blob/ad7d75b08dfff5e308fde199407d84308d74e538/lib/puppet/ssl/ssl_provider.rb#L225-L230
The bug is because ruby 3.2.2 & OpenSSL 1.1.1 returns an extension with a trailing newline:
(byebug) RUBY_VERSION
"3.2.2"
(byebug) OpenSSL::OPENSSL_VERSION
"OpenSSL 1.1.1f 31 Mar 2020"
(byebug) crl.extensions[1].oid
"authorityKeyIdentifier"
(byebug) crl.extensions[1].value
"keyid:2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5\n"
We then call String#chomp!. However String#chomp! has an annoying behavior that it returns nil if nothing was modified. And Ruby 3.2.2 & OpenSSL 3 doesn't include the newline, thereby triggering the bug:
"OpenSSL 3.0.8 7 Feb 2023"
"2E:53:A9:06:E8:90:B1:DA:46:CD:25:47:3A:0B:F5:92:00:BE:D3:A5"
It's also not clear why the "keyid:" prefix is missing.
FWIW, we don't hit this issue when printing info with the puppetserver-ca-cli.