Issue #14550 has been updated by James Turnbull. Category set to SSL Status changed from Unreviewed to Needs Decision Assignee set to Daniel Pittman
Dustin - unfortunately chained CAs have been broken for quite some time (see #3770). I've assigned to Eng for comment on this and the previous ticket. ---------------------------------------- Feature #14550: Accept a CRL path on the agent https://projects.puppetlabs.com/issues/14550#change-63120 Author: Dustin Mitchell Status: Needs Decision Priority: Normal Assignee: Daniel Pittman Category: SSL Target version: Affected Puppet version: Keywords: Branch: The agent happily downloads a CRL from the master, but will only support one CRL, and therefore only one CA, and therefore doesn't work in a chained-certificates context. While it would be nice to have better support for chained certificates *within* puppet, I think that certificate chaining and other crazy OpenSSL tricks are probably best left to the site to implement, with puppet just providing the minimal hooks. In this case that would mean adding a 'crlpath' agent configuration option which takes a hashed directory full of CRLs - similar to http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslcarevocationpath It would then be up to the user to populate this directory through whatever means are most appropriate to the site. -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-bugs?hl=en.
