I've been working on setting up a puppet deployment using an external CA that signs certs for my puppet masters rather than using the internal self-signed certs. Along the way, I wanted to try having the certificate chain available on the agents so I added the "localcacertdir" option to puppet. localcacertdir points at a directory with all the required certs in it with the hash symlinks set up as openssl likes them (see openssl x509 -hash). I later found that this option is not necessary for normal operation once the CRL checks are relaxed a bit with the next patch, and am sending it here in case somebody else will find use for it.
The second patch relaxes the CRL checking flags sent to openssl so that verification can succeed even if all of the CRL's in the certificate chain are not available. With this option enabled (default is disabled to match current behavior), only the first certificate in the chain's CRL (the puppet master's CA cert) is verified. This makes my setup work well enough for me to move forward, although the correct solution is to distribute the entire CRL chain and have puppet use it. I'm still learning the internals of puppet and ruby at the same time so that will have to wait for another day. I doubt I've taken the right approach in these patches, so feel free to rip them apart. I'm just hoping for some form of support in upstream for the relaxed CRL checking in 0.26, since that's what I'm targeting for production. Thanks, -Al Tobey -- You received this message because you are subscribed to the Google Groups "Puppet Developers" group. To post to this group, send email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/puppet-dev?hl=en.
0001-Add-support-for-localcacertdir.patch
Description: Binary data
0002-Add-support-for-certificate_revocation_shallow.patch
Description: Binary data
