Class: Puppet::SSL::StateMachine::NeedRenewedCert Private

Inherits:
KeySSLState show all
Defined in:
lib/puppet/ssl/state_machine.rb

Overview

This class is part of a private API. You should avoid using this class if possible, as it may be removed or be changed in the future.

Class to renew a client/host certificate automatically.

Instance Attribute Summary

Attributes inherited from KeySSLState

#private_key

Attributes inherited from SSLState

#ssl_context

Instance Method Summary collapse

Methods inherited from KeySSLState

#initialize

Methods inherited from SSLState

#initialize, #log_error, #to_error

Constructor Details

This class inherits a constructor from Puppet::SSL::StateMachine::KeySSLState

Instance Method Details

#next_stateObject

This method is part of a private API. You should avoid using this method if possible, as it may be removed or be changed in the future.



369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
# File 'lib/puppet/ssl/state_machine.rb', line 369

def next_state
  Puppet.debug(_("Renewing client certificate"))

  route = @machine.session.route_to(:ca, ssl_context: @ssl_context)
  cert = OpenSSL::X509::Certificate.new(
    route.post_certificate_renewal(@ssl_context)[1]
  )

  # verify client cert before saving
  next_ctx = @ssl_provider.create_context(
    cacerts: @ssl_context.cacerts, crls: @ssl_context.crls, private_key: @private_key, client_cert: cert
  )
  @cert_provider.save_client_cert(Puppet[:certname], cert)

  Puppet.info(_("Renewed client certificate: %{cert_digest}, not before '%{not_before}', not after '%{not_after}'") % { cert_digest: @machine.digest_as_hex(cert.to_pem), not_before: cert.not_before, not_after: cert.not_after })

  Done.new(@machine, next_ctx)
rescue Puppet::HTTP::ResponseError => e
  if e.response.code == 404
    Puppet.info(_("Certificate autorenewal has not been enabled on the server."))
  else
    Puppet.warning(_("Failed to automatically renew certificate: %{code} %{reason}") % { code: e.response.code, reason: e.response.reason })
  end
  Done.new(@machine, @ssl_context)
rescue => e
  Puppet.warning(_("Unable to automatically renew certificate: %{message}") % { message: e.message })
  Done.new(@machine, @ssl_context)
end