(PE-22810) Removed _client_cert_verification #260
Conversation
The private key is not world readable and apt now runs as an unpriveledged user. This means apt can no longer read the private key. We don't validate the client so we're removing the usage of the private key to communicate with master.
|
I tested this by first installing puppet with: ./frankenbuilder 2017.3.0 --install --agent=debian-9-amd64 --mono --preserve-hosts=always --keyfile=~/.ssh/id_rsa-acceptance --vmpooler --workdir /tmp/frankenbuilder1 --puppet_agent=../puppetlabs-puppet_agent I verified that the /etc/apt/apt.conf.d/90pc_repo file was as expected. I then upgraded master by using: ./frankenbuilder 2017.3.2 --upgrade --master bhtcweoy0m8ah0l.delivery.puppetlabs.net Then from the debian agent I ran curl --tlsv1 -O -k https://bhtcweoy0m8ah0l.delivery.puppetlabs.net:8140/packages/current/install.bash This ran without error. The same behavior prior to the change would result in an error that it was not able to find the packages. |
|
Waiting for CLA signature by @barleyj-puppet @barleyj-puppet - We require a Contributor License Agreement (CLA) for people who contribute to Puppet, but we have an easy click-through license with instructions, which is available at https://cla.puppet.com/ Note: if your contribution is trivial and you think it may be exempt from the CLA, please post a short reply to this comment with details. http://docs.puppet.com/community/trivial_patch_exemption.html |
manifests/osfamily/debian.pp
Outdated
| @@ -47,7 +43,6 @@ | |||
| } else { | |||
There was a problem hiding this comment.
This whole if/else block can be collapsed to the single case. I'd reduce the comment to explain why we don't use the cert/key.
The private key is not world readable and apt now runs as an
unpriveledged user. This means apt can no longer read the private
key. We don't validate the client so we're removing the usage of the
private key to communicate with master.