puppetserver-ca 1.11.7 → 2.0.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: fb0be6c52e215c90fd1859e0a9e3460f08e0a1762f96bd0ffd200b3617879b24
-  data.tar.gz: ee870c87865bca5e5ac1ad1168c4087fc49c6911f0c68503896a42dd153184a0
+  metadata.gz: 6523b5628cc4d83aa2627326400a2fb493a18f28d7e4da4b8046eac41e09c555
+  data.tar.gz: 6e8cfbeb2a63ad443f22b196d9cdf2749242ef552c6376fd55b723aa699ceefd
 SHA512:
-  metadata.gz: 073140413ae3ed5ea3755dca89ed0b2e8bc2db901cb5d3dbcf089367721b003aa68549da569bca706e73cb428bd988318e983117825eb4db0da94ad86f204944
-  data.tar.gz: 31bc27af9474c15261c652568e6b99afd29da33bbc8ad4cfcf4f62eeea215e6c00999d3efeb4a504efa78c4fdcd9a3decb372ebfb33a2d80b3231d3b6722de52
+  metadata.gz: 82c62889b706bad66349d5efd8469969b919d8d90741c57c12827eccdedf2de80597ea923509c66de6d6f317da365d860705d556441ce817167d323ad6e80325
+  data.tar.gz: 72cca87e22e38e8c6b2b7975d4920057f5364c7a9499bcf30553894b9285468a0cb1d3fd93aace8974a889a0e0a0ed35f348d902139a07d0f588957e61f479f4

data/README.md

@@ -55,30 +55,20 @@ To create a new keypair and certificate for a certname:
 puppetserver ca generate --certname foo.example.com
 ```
 
-To remove duplicated entries from Puppet's CRL:
-```
-puppetserver ca prune
-```
-
-To enable verbose mode:
-```
-puppetserver ca --verbose <action>
-```
-
 For more details, see the help output:
 ```
 puppetserver ca --help
 ```
 
 This code in this project is licensed under the Apache Software License v2,
-please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/LICENSE.md)
+please see the included [License](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/LICENSE.md)
 for more details.
 
 
 ## Development
 
 After checking out the repo, run `bin/setup` to install dependencies. Then,
-run `bundle exec rake spec` to run the tests. You can also run `bin/console` for an
+run `rake spec` to run the tests. You can also run `bin/console` for an
 interactive prompt that will allow you to experiment.
 
 To install this gem onto your local machine, run `bundle exec rake install`.
@@ -102,7 +92,7 @@ To test your changes on a VM:
 1. To confirm that installation was successful, run `puppetserver ca --help`
 
 ### Releasing
-To release a new version, run the [release pipeline](https://jenkins-platform.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_1.x/), which will bump the version, tag, build, and release the gem.
+To release a new version, run the [release pipeline](https://jenkins-master-prod-1.delivery.puppetlabs.net/job/platform_puppetserver-ca_init-multijob_main/), which will bump the version, tag, build, and release the gem.
 
 
 ## Contributing & Support
@@ -115,9 +105,9 @@ Freenode, or the Puppet Community Slack channel.
 
 Contributions are welcome at https://github.com/puppetlabs/puppetserver-ca-cli/pulls.
 Contributors should both be sure to read the
-[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CONTRIBUTING.md)
+[contributing document](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CONTRIBUTING.md)
 and sign the [contributor license agreement](https://cla.puppet.com/).
 
 Everyone interacting with the project’s codebase, issue tracker, etc is expected
 to follow the
-[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/main/CODE_OF_CONDUCT.md).
+[code of conduct](https://github.com/puppetlabs/puppetserver-ca-cli/blob/master/CODE_OF_CONDUCT.md).

data/lib/puppetserver/ca/action/clean.rb

@@ -14,7 +14,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke cert(s) and remove related files from CA'
         BANNER = <<-BANNER
@@ -59,7 +59,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLOCKLIST.include?(certname)
+            if CERTNAME_BLACKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end
@@ -85,7 +85,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result = clean_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/enable.rb

@@ -45,7 +45,7 @@ BANNER
           end
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           settings = puppet.settings
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 

data/lib/puppetserver/ca/action/generate.rb

@@ -18,7 +18,7 @@ module Puppetserver
 
         # Only allow printing ascii characters, excluding /
         VALID_CERTNAME = /\A[ -.0-~]+\Z/
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = "Generate a new certificate signed by the CA"
         BANNER = <<-BANNER
@@ -26,7 +26,7 @@ Usage:
   puppetserver ca generate [--help]
   puppetserver ca generate --certname NAME[,NAME] [--config PATH]
                            [--subject-alt-names NAME[,NAME]]
-                           [--ca-client [--force]]
+                           [--ca-client]
 
 Description:
   Generates a new certificate signed by the intermediate CA
@@ -35,7 +35,7 @@ Description:
   If the `--ca-client` flag is passed, the cert will be generated
   offline, without using Puppet Server's signing code, and will add
   a special extension authorizing it to talk to the CA API. This can
-  be used for regenerating the server's host cert, or for manually
+  be used for regenerating the master's host cert, or for manually
   setting up other nodes to be CA clients. Do not distribute certs
   generated this way to any node that you do not intend to have
   administrative access to the CA (e.g. the ability to sign a cert).
@@ -75,10 +75,6 @@ BANNER
                     'Causes the cert to be generated offline.') do |ca_client|
               parsed['ca-client'] = true
             end
-            opts.on('--force', 'Suppress errors when signing cert offline.',
-                    "To be used with '--ca-client'") do |force|
-              parsed['force'] = true
-            end
             opts.on('--ttl TTL', 'The time-to-live for each cert generated and signed') do |ttl|
               parsed['ttl'] = ttl
             end
@@ -95,7 +91,7 @@ BANNER
             errors << '    At least one certname is required to generate'
           else
             results['certnames'].each do |certname|
-              if CERTNAME_BLOCKLIST.include?(certname)
+              if CERTNAME_BLACKLIST.include?(certname)
                 errors << "    Cannot manage cert named `#{certname}` from " +
                           "the CLI, if needed use the HTTP API directly"
               end
@@ -130,7 +126,7 @@ BANNER
           # Load, resolve, and validate puppet config settings
           settings_overrides = {}
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # We don't want generate to respect the alt names setting, since it is usually
@@ -143,21 +139,8 @@ BANNER
 
           # Generate and save certs and associated keys
           if input['ca-client']
-            # Refuse to generate certs offline if the CA service is running
-            begin
-              return 1 if HttpClient.check_server_online(puppet.settings, @logger)
-            rescue Puppetserver::Ca::ConnectionFailed => e
-              base_message = "Could not determine whether Puppet Server is online."
-              if input['force']
-                @logger.inform("#{base_message} Connection check failed with " \
-                  "error: #{e.wrapped}\nContinuing with certificate signing.")
-              else
-                @logger.inform("#{base_message} If you are certain that the " \
-                  "Puppetserver service is stopped, run this command again " \
-                  "with the '--force' flag.")
-                raise e
-              end
-            end
+            # Refused to generate certs offfline if the CA service is running
+            return 1 if HttpClient.check_server_online(puppet.settings, @logger)
             all_passed = generate_authorized_certs(certnames, alt_names, puppet.settings, signer.digest)
           else
             all_passed = generate_certs(certnames, alt_names, puppet.settings, signer.digest, input['ttl'])
@@ -313,9 +296,7 @@ BANNER
         end
 
         def process_alt_names(alt_names, certname)
-          # It is recommended (and sometimes enforced) to always include
-          # the certname as a SAN, see RFC 2818 https://tools.ietf.org/html/rfc2818#section-3.1.
-          return "DNS:#{certname}" if alt_names.empty?
+          return '' if alt_names.empty?
 
           current_alt_names = alt_names.dup
           # When validating the cert, OpenSSL will ignore the CN field if

data/lib/puppetserver/ca/action/import.rb

@@ -4,6 +4,7 @@ require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
 require 'puppetserver/ca/utils/cli_parsing'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
 require 'puppetserver/ca/x509_loader'
@@ -14,7 +15,7 @@ module Puppetserver
       class Import
         include Puppetserver::Ca::Utils
 
-        SUMMARY = "Import an external CA chain and generate server PKI"
+        SUMMARY = "Import an external CA chain and generate master PKI"
         BANNER = <<-BANNER
 Usage:
   puppetserver ca import [--help]
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -72,7 +73,7 @@ BANNER
         def import(loader, settings, signing_digest)
           ca = Puppetserver::Ca::LocalCertificateAuthority.new(signing_digest, settings)
           ca.initialize_ssl_components(loader)
-          server_key, server_cert = ca.create_server_cert
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -88,25 +89,25 @@ BANNER
             [settings[:cadir] + '/infra_crl.pem', loader.crls],
             [settings[:localcacert], loader.certs],
             [settings[:hostcrl], loader.crls],
-            [settings[:hostpubkey], server_key.public_key],
-            [settings[:hostcert], server_cert],
-            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
+            [settings[:hostpubkey], master_key.public_key],
+            [settings[:hostcert], master_cert],
+            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
             [settings[:capub], loader.key.public_key],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert]
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert]
           ]
 
           private_files = [
-            [settings[:hostprivkey], server_key],
+            [settings[:hostprivkey], master_key],
             [settings[:cakey], loader.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if server's keys exist. Certain workflows
+          # We don't want to error if master's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a server. The host class will honor keys, if both
+          # upgraded to be a master. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -130,6 +131,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 
@@ -178,11 +181,11 @@ ERR
               parsed['crl-chain'] = chain
             end
             opts.on('--certname NAME',
-                    'Common name to use for the server cert') do |name|
+                    'Common name to use for the master cert') do |name|
               parsed['certname'] = name
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the server cert') do |sans|
+                    'Subject alternative names for the master cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
           end

data/lib/puppetserver/ca/action/list.rb

@@ -30,7 +30,6 @@ Options:
       BANNER
 
         BODY = JSON.dump({desired_state: 'signed'})
-        VALID_FORMAT = ['text', 'json']
 
         def initialize(logger)
           @logger = logger
@@ -48,9 +47,6 @@ Options:
             opts.on('--all', 'List all certificates') do |a|
               parsed['all'] = true
             end
-            opts.on('--format FORMAT', "Valid formats are: 'text' (default), 'json'") do |f|
-              parsed['format'] = f
-            end
             opts.on('--certname NAME[,NAME]', Array, 'List the specified cert(s)') do |cert|
               parsed['certname'] = cert
             end
@@ -61,16 +57,9 @@ Options:
           config = input['config']
           certnames = input['certname'] || []
           all = input['all']
-          output_format = input['format'] || "text"
-          missing = []
-
-          unless VALID_FORMAT.include?(output_format)
-            Errors.handle_with_usage(@logger, ["Unknown format flag '#{output_format}'. Valid formats are '#{VALID_FORMAT.join("', '")}'."])
-            return 1
-          end
 
           if all && certnames.any?
-            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname.'])
+            Errors.handle_with_usage(@logger, ['Cannot combine use of --all and --certname'])
             return 1
           end
 
@@ -79,74 +68,27 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
-          if certnames.any?
-            filter_names = lambda { |x| certnames.include?(x['name']) }
-          else
-            filter_names = lambda { |x| true }
-          end
-
-          if (all || certnames.any?)
-            found_certs = get_certs_or_csrs(puppet.settings)
-            if found_certs.nil?
-               # nil is different from no certs found
-               @logger.err('Error while getting certificates')
-               return 1
-            end
-            all_certs = found_certs.select { |cert| filter_names.call(cert) }
-            requested, signed, revoked = separate_certs(all_certs)
-            missing = certnames - all_certs.map { |cert| cert['name'] }
-            output_certs_by_state(all, output_format, requested, signed, revoked, missing)
-          else
-            all_csrs = get_certs_or_csrs(puppet.settings, "requested")
-            if all_csrs.nil?
-               # nil is different from no certs found
-               @logger.err('Error while getting certificate requests')
-               return 1
-            end
-            output_certs_by_state(all, output_format, all_csrs)
-          end
+          filter_names = certnames.any? \
+            ? lambda { |x| certnames.include?(x['name']) }
+            : lambda { |x| true }
 
-          return missing.any? ? 1 : 0
-        end
+          all_certs = get_all_certs(puppet.settings).select { |cert| filter_names.call(cert) }
+          requested, signed, revoked = separate_certs(all_certs)
+          missing = certnames - all_certs.map { |cert| cert['name'] }
 
-        def output_certs_by_state(all, output_format, requested, signed = [], revoked = [], missing = [])
-          if output_format == 'json'
-            output_certs_json_format(all, requested, signed, revoked, missing)
-          else
-            output_certs_text_format(requested, signed, revoked, missing)
-          end
-        end
+          (all || certnames.any?) \
+            ? output_certs_by_state(requested, signed, revoked, missing)
+            : output_certs_by_state(requested)
 
-        def output_certs_json_format(all, requested, signed, revoked, missing)
-          grouped_cert = {}
-
-          if all
-            grouped_cert = { "requested" => requested,
-                             "signed" => signed,
-                             "revoked" => revoked }.to_json
-            @logger.inform(grouped_cert)
-          else
-            grouped_cert["requested"] = requested unless requested.empty?
-            grouped_cert["signed"] = signed unless signed.empty?
-            grouped_cert["revoked"] = revoked unless revoked.empty?
-            grouped_cert["missing"] = missing unless missing.empty?
-
-            # If neither the '--all' flag or the '--certname' flag was passed in
-            # and the requested cert array is empty, we output a JSON object
-            # with an empty 'requested' key. Otherwise, we display
-            # any of the classes that are currently in grouped_cert
-            if grouped_cert.empty?
-              @logger.inform({ "requested" => requested }.to_json)
-            else
-              @logger.inform(grouped_cert.to_json)
-            end
-          end
+          return missing.any? \
+            ? 1
+            : 0
         end
 
-        def output_certs_text_format(requested, signed, revoked, missing)
+        def output_certs_by_state(requested, signed = [], revoked = [], missing = [])
           if revoked.empty? && signed.empty? && requested.empty? && missing.empty?
             @logger.inform "No certificates to list"
             return
@@ -221,15 +163,9 @@ Options:
           return requested, signed, revoked
         end
 
-        def get_certs_or_csrs(settings, queried_state = nil)
-          query = queried_state ? { :state => queried_state } : {}
-          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses(query)
-
-          if result
-            return JSON.parse(result.body)
-          else
-            return nil
-          end
+        def get_all_certs(settings)
+          result = Puppetserver::Ca::CertificateAuthority.new(@logger, settings).get_certificate_statuses
+          result ? JSON.parse(result.body) : []
         end
 
         def parse(args)
@@ -240,11 +176,8 @@ Options:
 
           errors_were_handled = Errors.handle_with_usage(@logger, errors, parser.help)
 
-          if errors_were_handled
-            exit_code = 1
-          else
-            exit_code = nil
-          end
+          exit_code = errors_were_handled ? 1 : nil
+
           return results, exit_code
         end
       end

data/lib/puppetserver/ca/action/migrate.rb

@@ -29,7 +29,7 @@ BANNER
         def run(input)
           config_path = input['config']
           puppet = Config::Puppet.new(config_path)
-          puppet.load
+          puppet.load({}, @logger)
           return 1 if HttpClient.check_server_online(puppet.settings, @logger)
 
           errors = FileSystem.check_for_existing_files(PUPPETSERVER_CA_DIR)
@@ -66,14 +66,6 @@ SUCCESS_MESSAGE
         def migrate(old_cadir, new_cadir=PUPPETSERVER_CA_DIR)
           FileUtils.mv(old_cadir, new_cadir)
           FileUtils.symlink(new_cadir, old_cadir)
-          # Ensure the symlink has the same ownership as the actual cadir.
-          # This requires using `FileUtils.chown` rather than `File.chown`, as
-          # the latter will update the ownership of the target rather than the
-          # link itself.
-          # Symlink permissions are ignored in favor of the target's permissions,
-          # so we don't have to change those.
-          cadir = File.stat(new_cadir)
-          FileUtils.chown(cadir.uid, cadir.gid, old_cadir)
         end
 
         def parse(args)

data/lib/puppetserver/ca/action/revoke.rb

@@ -12,7 +12,7 @@ module Puppetserver
 
         include Puppetserver::Ca::Utils
 
-        CERTNAME_BLOCKLIST = %w{--all --config}
+        CERTNAME_BLACKLIST = %w{--all --config}
 
         SUMMARY = 'Revoke certificate(s)'
         BANNER = <<-BANNER
@@ -55,7 +55,7 @@ BANNER
           errors = CliParsing.parse_with_errors(parser, args)
 
           results['certnames'].each do |certname|
-            if CERTNAME_BLOCKLIST.include?(certname)
+            if CERTNAME_BLACKLIST.include?(certname)
               errors << "    Cannot manage cert named `#{certname}` from " +
                         "the CLI, if needed use the HTTP API directly"
             end
@@ -83,7 +83,7 @@ BANNER
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           result =  revoke_certs(certnames, puppet.settings)

data/lib/puppetserver/ca/action/setup.rb

@@ -3,6 +3,7 @@ require 'optparse'
 require 'puppetserver/ca/config/puppet'
 require 'puppetserver/ca/errors'
 require 'puppetserver/ca/local_certificate_authority'
+require 'puppetserver/ca/utils/config'
 require 'puppetserver/ca/utils/cli_parsing'
 require 'puppetserver/ca/utils/file_system'
 require 'puppetserver/ca/utils/signing_digest'
@@ -23,10 +24,10 @@ Usage:
 Description:
   Setup a root and intermediate signing CA for Puppet Server
   and store generated CA keys, certs, crls, and associated
-  server related files on disk.
+  master related files on disk.
 
   The `--subject-alt-names` flag can be used to add SANs to the
-  certificate generated for the Puppet server. Multiple names can be
+  certificate generated for the Puppet master. Multiple names can be
   listed as a comma separated string. These can be either DNS names or
   IP addresses, differentiated by prefixes: `DNS:foo.bar.com,IP:123.456.789`.
   Names with no prefix will be treated as DNS names.
@@ -55,7 +56,7 @@ BANNER
           settings_overrides[:dns_alt_names] = input['subject-alt-names'] unless input['subject-alt-names'].empty?
 
           puppet = Config::Puppet.new(config_path)
-          puppet.load(settings_overrides)
+          puppet.load(settings_overrides, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           # Load most secure signing digest we can for cers/crl/csr signing.
@@ -76,7 +77,7 @@ BANNER
 
           root_key, root_cert, root_crl = ca.create_root_cert
           ca.create_intermediate_cert(root_key, root_cert)
-          server_key, server_cert = ca.create_server_cert
+          master_key, master_cert = ca.create_master_cert
           return ca.errors if ca.errors.any?
 
           FileSystem.ensure_dirs([settings[:ssldir],
@@ -90,28 +91,28 @@ BANNER
             [settings[:cacert], [ca.cert, root_cert]],
             [settings[:cacrl], [ca.crl, root_crl]],
             [settings[:cadir] + '/infra_crl.pem', [ca.crl, root_crl]],
-            [settings[:hostcert], server_cert],
+            [settings[:hostcert], master_cert],
             [settings[:localcacert], [ca.cert, root_cert]],
             [settings[:hostcrl], [ca.crl, root_crl]],
-            [settings[:hostpubkey], server_key.public_key],
+            [settings[:hostpubkey], master_key.public_key],
             [settings[:capub], ca.key.public_key],
-            [settings[:cert_inventory], ca.inventory_entry(server_cert)],
+            [settings[:cert_inventory], ca.inventory_entry(master_cert)],
             [settings[:cadir] + '/infra_inventory.txt', ''],
             [settings[:cadir] + '/infra_serials', ''],
             [settings[:serial], "002"],
-            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), server_cert],
+            [File.join(settings[:signeddir], "#{settings[:certname]}.pem"), master_cert],
           ]
 
           private_files = [
-            [settings[:hostprivkey], server_key],
+            [settings[:hostprivkey], master_key],
             [settings[:rootkey], root_key],
             [settings[:cakey], ca.key],
           ]
 
           files_to_check = public_files + private_files
-          # We don't want to error if server's keys exist. Certain workflows
+          # We don't want to error if master's keys exist. Certain workflows
           # allow the agent to have already be installed with keys and then
-          # upgraded to be a server. The host class will honor keys, if both
+          # upgraded to be a master. The host class will honor keys, if both
           # public and private exist, and error if only one exists - as is
           # previous behavior.
           files_to_check = files_to_check.map(&:first) - [settings[:hostpubkey], settings[:hostprivkey]]
@@ -135,6 +136,8 @@ ERR
             FileSystem.write_file(location, content, 0640)
           end
 
+          Puppetserver::Ca::Utils::Config.symlink_to_old_cadir(settings[:cadir], settings[:confdir])
+
           return []
         end
 
@@ -160,7 +163,7 @@ ERR
               parsed['config'] = conf
             end
             opts.on('--subject-alt-names NAME[,NAME]',
-                    'Subject alternative names for the server cert') do |sans|
+                    'Subject alternative names for the master cert') do |sans|
               parsed['subject-alt-names'] = sans
             end
             opts.on('--ca-name NAME',
@@ -168,7 +171,7 @@ ERR
               parsed['ca-name'] = name
             end
             opts.on('--certname NAME',
-                    'Common name to use for the server cert') do |name|
+                    'Common name to use for the master cert') do |name|
               parsed['certname'] = name
             end
           end

data/lib/puppetserver/ca/action/sign.rb

@@ -62,7 +62,7 @@ Options:
             return 1 if Errors.handle_with_usage(@logger, errors)
           end
 
-          puppet = Config::Puppet.parse(config)
+          puppet = Config::Puppet.parse(config, @logger)
           return 1 if Errors.handle_with_usage(@logger, puppet.errors)
 
           ca = Puppetserver::Ca::CertificateAuthority.new(@logger, puppet.settings)

data/lib/puppetserver/ca/certificate_authority.rb

@@ -23,7 +23,7 @@ module Puppetserver
 
       def initialize(logger, settings)
         @logger = logger
-        @client = HttpClient.new(@logger, settings)
+        @client = HttpClient.new(settings)
         @ca_server = settings[:ca_server]
         @ca_port = settings[:ca_port]
       end
@@ -41,8 +41,8 @@ module Puppetserver
       end
 
       # Returns a URI-like wrapper around CA specific urls
-      def make_ca_url(resource_type = nil, certname = nil, query = {})
-        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname, query)
+      def make_ca_url(resource_type = nil, certname = nil)
+        HttpClient::URL.new('https', @ca_server, @ca_port, 'puppet-ca', 'v1', resource_type, certname)
       end
 
       def process_ttl_input(ttl)
@@ -141,7 +141,7 @@ module Puppetserver
         when :revoke
           case result.code
           when '200', '204'
-            @logger.inform "Certificate for #{certname} has been revoked"
+            @logger.inform "Revoked certificate for #{certname}"
             return :success
           when '404'
             @logger.err 'Error:'
@@ -215,7 +215,7 @@ module Puppetserver
       def check_revocation(certname, result)
         case result.code
         when '200', '204'
-          @logger.inform "Certificate for #{certname} has been revoked"
+          @logger.inform "Revoked certificate for #{certname}"
           return :success
         when '409'
           return :invalid
@@ -250,8 +250,8 @@ module Puppetserver
       end
 
       # Returns nil for errors, else the result of the GET request
-      def get_certificate_statuses(query = {})
-        result = get('certificate_statuses', 'any_key', query)
+      def get_certificate_statuses
+        result = get('certificate_statuses', 'any_key')
 
         unless result.code == '200'
           @logger.err 'Error:'
@@ -287,8 +287,8 @@ module Puppetserver
       # @param resource_type [String] the resource type of url
       # @param resource_name [String] the resource name of url
       # @return [Struct] an instance of the Result struct with :code, :body
-      def get(resource_type, resource_name, query = {})
-        url = make_ca_url(resource_type, resource_name, query)
+      def get(resource_type, resource_name)
+        url = make_ca_url(resource_type, resource_name)
         @client.with_connection(url) do |connection|
           connection.get(url)
         end