Issue #19902 has been updated by Rob Nelson. Status changed from Unreviewed to Needs Decision
Needs a decision from the product owner. ---------------------------------------- Feature #19902: Flexible configuration for agent SSL handling https://projects.puppetlabs.com/issues/19902#change-98294 * Author: Dustin Mitchell * Status: Needs Decision * Priority: Normal * Assignee: * Category: * Target version: * Affected Puppet version: * Keywords: * Branch: ---------------------------------------- If you're doing certificate chaining (c.f. #15561), it's pretty inconvenient for a misconfigured agent (e.g., with the wrong hostname) to start inventing certs and keys for itself and talking to the master about them. I'd like to have an option to disable this behavior. I'd suggest "ssl_bootstrap" as the parameter name, defaulting to true. The agent's SSL-related behavior, then, would be: * supplying its own certificate in all SSL transactions (mandatory) * verifying the master's certificate against a CA certificate in all SSL transactions (mandatory) * verification depth should be configurable (`ssl_verify_depth`) * verifying CRLs for all CAs (optional, `ssl_verify_crls`) * synchronizing CRLs (optional, `ssl_synchronize_crls`) * this should work more like plugin sync, and sync a hashed directory - see #14550 * this will replace `certificate_revocation`, although that option can be maintained for compatibility * creating a new key/CSR for itself on startup (optional, `ssl_bootstrap`) * submitting the CSR to the master if no cert is available, and polling for a signed cert (optional, `ssl_bootstrap`) * requesting the CA cert from the master if not present (optional, `ssl_bootstrap`) -- You have received this notification because you have either subscribed to it, or are involved in it. To change your notification preferences, please click here: http://projects.puppetlabs.com/my/account -- You received this message because you are subscribed to the Google Groups "Puppet Bugs" group. To unsubscribe from this group and stop receiving emails from it, send an email to puppet-bugs+unsubscr...@googlegroups.com. To post to this group, send email to puppet-bugs@googlegroups.com. Visit this group at http://groups.google.com/group/puppet-bugs. For more options, visit https://groups.google.com/groups/opt_out.
