Puppet Server release notes
Puppet Server 6.16.1
Released July 2021 and shipped with Puppet 6.24.0.
--verboseflag. In this release, the
puppetserver casubcommand now accepts the
--verboseflag. If the
--verboseflag is passed, it displays additional low-level details about the invoked action (such as details about HTTP requests created by the tool). SERVER-2251
Specify certificate output in JSON. In this release, the
puppetserver ca listaction now accepts a
--formatflag that can be used to display certificates in JSON format. The output format is
textby default. SERVER-3006
Jetty 9.4.42. This release includes a Jetty update to 9.4.42. SERVER-3035
CRL update endpoint is not enabled by default. The
PUT /puppet-ca/v1/certificate_revocation_listendpoint is now enabled by default for clients that have a special cert extension. Previously, you had to manually update the
auth.conffile to access this endpoint. SERVER-3033
Puppet Server cannot use OpenSSL EC files in OpenSSL format. Previously, Puppet Server failed to load private key PEM files that include separate blocks for EC parameters (such as files output by OpenSSL’s EC key gen commands). This bug is now fixed. SERVER-3016
puppetserver ca generatecommand errors because of the subject alternative name. The
puppetserver ca generatecommand no longer errors when
allow-subject-alt-namesis set to false. SERVER-3032
Puppet Server 6.16.0
Released June 2021 and shipped with Puppet Platform 6.23.0
The CA API accepts CRL updates. You can now update your CRLs using the new API endpoint:
PUT /puppet-ca/v1/certificate_revocation_list. This new endpoint accepts a list of CRL PEMs as a body, inserting updated copies of the applicable CRLs into the trust chain. The CA updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts. You can use this endpoint if your CRLs require frequent updates. Do not use the endpoint to update the CRL associated with the Puppet CA signing certificate (only earlier ones in the certificate chain) SERVER-2550
JRuby 18.104.22.168. In this release, the JRuby version is updated to 22.214.171.124. SERVER-3007
New apache HTTP client broke URL normalization. A security update to the apache HTTP client introduced an unrelated change to URL normalization. This change affected any use of Puppet’s HTTP client within Puppet Server. In this release, the double slash in a URL path is no longer silently ignored by the HTTP client in Puppet Server. Instead, Puppet Server views it as a different URL and returns a 404. Going forward, remove leading double slashes from URLs. SERVER-3014
Environment endpoint failed to cache data if given valid etag. Previously, if you used the environment and transport info endpoints, then you might have seen the cache bypassed—despite receiving a 304 Not Modified response. To work around this issue, users must submit a request to the
environment_classesendpoint without the etag. This request triggers the correct caching behavior. Note that the console (the consumer of the
environment_classesendpoint in PE) must always submit an etag for an environment if it has one. SERVER-3015
Puppet Server 6.15.3
Released 26 April 2021
Puppet Server now adds an extension for subject-alternative-name (SAN) when it signs incoming certificate signing requests (CSR). The SAN extension contains the common name (CN) as a dns-name on the certificate. If the CSR comes with its own SAN extension, Puppet Server signs it and ensures that the SAN extension also includes the CSR's CN. SERVER-2338
The Jetty webserver now uses the local copy of the CRL from Puppet's SSL directory instead of the CA's copy. This fix makes it easier to set up compilers, which always have a disabled CA service and no CRL at the CA path. SERVER-2558
Jetty has been updated to 9.4.40 to resolve security issues.
Puppet Server 6.15.1
Released 9 February 2021
Updated various dependencies to pick up security fixes.
Puppet Server 6.15.0
Released 20 January 2021
The puppetserver CA CLI now provides a
migratecommand to move the CA directory from the Puppet
confdirto the puppetserver
confdir. It leaves behind a symlink on the old CA location, pointing to the new location at
/etc/puppetlabs/puppetserver/ca. The symlink provides backwards compatibility for tools still expecting the
cadirto exist in the old location. In a future release, the
cadirsetting will be removed entirely. SERVER-2896
Puppet Server 6.14.1
Released 26 October 2020
puppet-ca/v1/cleanendpoint now logs the certname of each certificate it revokes. SERVER-2897
Puppet Server 6.14.0
Released 20 October 2020
Added a new CA API endpoint —
puppet-ca/v1/clean— that accepts a list of cert names to be revoked and deleted as a batch. SERVER-2859
Puppet Server's JRuby load path can now be used with
Dir.glob. Notably, this re-enables installing gems with docs via
puppetserver gem. SERVER-2763
Puppet Server 6.13.0
Released 25 August 2020
Puppet Server packages are now available for Ubuntu 20.04. SERVER-2828
Added a new endpoint
/puppet-ca/v1/expirationsthat returns the "not-after" date for each certificate in the CA bundle, as well as the "next-update" date of each CRL in the chain, keyed by common name. The endpoint requires authentication. SERVER-2551
/puppet-ca/v1/certificate_statusesendpoint now accepts a
stateparameter that will filter search results by the given certificate state. Accepted states are 'requested', 'signed', and 'revoked'. SERVER-2233
Puppet Server 6.12.1
Released 14 July 2020
Jolokia will no longer log at debug level by default, which avoids large stack traces for missing metrics. In order to re-enable debug output, set
metrics.confand configure the logging to
The v2 metrics endpoint can now use trapperkeeper-authorization (tk-auth), which can be controlled from
auth.conf(or from the authorization section of the trapperkeeper config). The v2 metrics endpoint is still restricted to localhost by default. If tk-auth is used to restrict access, you may override the default behavior in
Puppet Server 6.12.0
Released 3 June 2020
JRuby has been bumped to 126.96.36.199 again, with
invokedynamic.yieldset to false to resolve a stackoverflow error. SERVER-2793
The v1 metrics endpoint, which was recently disabled by default, is now deprecated. Instead, use the v2 endpoint. TK-486
Puppet Server 6.11.1
Released 7 May 2020
JRuby has been rolled back to 188.8.131.52 while we investigate an intermittent problem where some requests that go through JRuby error repeatedly with StackOverflow exceptions. SERVER-2793.
Downgrading JRuby reintroduced the
sprintfbug marked fixed in 6.10.0, since its fix was tied to the JRuby update.
Puppet Server 6.11.0
Released 30 April 2020
puppetserver caCLI tool has been updated to version 1.7.0. It will now show any authorization extensions that exist when listing certificates or CSRs. SERVER-2591
Puppet Server 6.10.0
Released 14 April 2020
GET /certificate_statusendpoint now returns certificate or CSR's authorization extensions. SERVER-2718
ppRegCertExtarc has been extended with OID
184.108.40.206.4.1.343220.127.116.11and the short name
pp_owner. This OID is meant to help users in cloud environments. The short name will be displayed when using the
puppetserver caCLI tool.
Using a precision number to truncate a string in Puppet's
sprintffunction no longer interpolates extra characters. SERVER-2660.
An update to JRuby 18.104.22.168 has caused a change in defaults when installing gems with the
puppetserver gemcommand. It attempts to install documentation by default, but this will not work. To avoid this bug, pass
--no-documentwhen installing gems. This is caused by an inability to use the
classpath:/puppetserver-libportion of the
$LOAD_PATHas a parameter to
Dir.glob, which Rdoc relies on to install documentation. SERVER-2758.
Puppet Server 6.9.2
Released 19 March 2020
To prevent information exposure as a result of CVE-2020-7943, the
/metrics/v1endpoints are disabled by default, and access to the
/metrics/v2endpoints are restricted to localhost.
Puppet Server 6.9.1
Released 10 March 2020
This release contains some minor test fixes.
Puppet Server 6.9.0
Released 18 February 2020
There is a new JRuby pool architecture that maintains a single a JRuby instance where requests to Puppet Server will run concurrently. You can toggle this behavior by setting
true. In this mode, the server's memory footprint is significantly lighter as it no longer needs to run multiple JRuby instances. Note that this mode should be treated as an experimental feature. SERVER-2684
Puppet Server 6.8.0
Released 14 January 2020
When signing or generating certificates, you can now set the certificate time to live, either with a command line option or by specifying the key directly in the HTTP API. The time unit defaults to seconds, but you can specify a different time unit with any of time unit markers accepted in Puppet configuration.
puppetserver ca signand
puppetserver ca generatecommands accept a
--ttlflag to set certificate time to live. This setting determines how long the resulting certificate is valid for.
Alternatively, you can set the time in the
certificate-statusAPI endpoint in the request body under the key
Puppet Server no longer issues HTTP 503 responses to agents older than Puppet 5.3, which can't react to these responses. This allows the
max-queued-requestssetting to be used safely with older agents. SERVER-2405
Puppet Server 6.7.2
Released 19 November 2019
This version contains minor security fixes.
Puppet Server 6.7.1
Released 15 October 2019
Puppet Server can no longer be configured to accept SSLv3 traffic. SERVER-2654
Puppet Server 6.7.0
Released 1 October 2019
Puppet Server packages are now available for Debian 10. These packages require Java 11 to be installed, rather than Java 8. SERVER-2613
Puppet Server now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests.
Puppet Server 6.6.0
Released 17 September 2019
Puppet Server no longer hardcodes Java's egd parameter. Users may manage the value via JAVA_ARGS or JAVA_ARGS_CLI in the defaults file. SERVER-2602
RedHat 7 FIPS mode packages are now available for
Puppet Server now lists plan content from your modules, just as it does task content. SERVER-2543
You can now enable sending a list of all the Hiera keys looked up during compile to PuppetDB, via the
puppetserver.conf. This is currently only used by CD4PE. SERVER-2538
/puppet-admin-api/v1/jruby-pool/thread-dumpendpoint, which returns a thread dump of running JRuby instances, if
jruby.management.enabledhas been set to
truein the JVM running Puppet Server. See Admin API: JRuby Pool for details. SERVER-2193
Puppet Server now runs with JRuby 22.214.171.124. SERVER-2388
puppetserver ca importcommand now initializes an empty CRL for the intermediate CA if one is not provided in the
Puppet Server can now be reloaded and run with multiple JRuby instances when running under Java 11. This change affects the packaging of Puppet Server. If you are running Puppet Server from source, you must add
facter.jar, provided by the
puppet-agentpackage, to the classpath when starting Puppet Server with Java. SERVER-2423
-Puppet Server's CA can now handle keys in the PKCS#8 format, which is required when running in FIPS mode. SERVER-2019
Puppet Server 6.5.0
Released 22 July 2019
The default for the
cipher-suitessetting in the webserver section of
webserver.confhas been updated. Previously, the defaults included 11 cipher suites, including 4
TLS_RSA_*cipher suites. Now the defaults include all cipher suites usable on a RHEL 7 FIPS-enabled server, our target platform for FIPS certification, except for
TLS_RSA_*ciphers. Additionally, Puppet Server emits warnings if any
TLS_RSA_*ciphers are explicitly enabled in the
To avoid potentially breaking clients that can use only
TLS_RSA_* ciphers, the
webserver.conf file now includes an explicit
cipher-suites setting that adds the previously enabled
TLS_RSA_* ciphers to the new implicit
cipher-suites setting. This has three effects:
Older clients that require the
TLS_RSA_*ciphers will continue to work.
Puppet Server generates warnings in the logs that the
TLS_RSA_*ciphers are enabled.
Puppet Server generates warnings in the logs if ciphers enumerated in the
cipher-suitessetting are not available on that specific OS. These warnings can be safely silenced by editing the
cipher-suitessetting and removing the unavailable ciphers.
A future version of Puppet Server will remove the
cipher-suites setting in
webserver.conf. This will break any clients that still require the
In advance of this change, update any clients that still require the
TLS_RSA_* ciphers to clients that can use more recent ciphers, and remove the
cipher-suites setting in
This update also removes the
so-linger-seconds configuration setting. This setting is now ignored and a warning is issued if it is set. See Jetty's so-linger-seconds for removal details.
See SERVER-2576 for further details.
You can now specify a
--certnameflag with the
puppetserver ca listcommand, which limits the output to information about the requested cert and logs an error if the requested cert does not exist in any form. SERVER-2589
In this release, performance in
puppetservercommands is improved. Running
puppetserver irb, and other Puppet Server CLI commands are 15-30 percent faster to start up. Service starting and reloading should see similar improvements, along with some marginal improvements to top-end performance, especially in environments with limited sources of entropy.
Building Puppet Server outside our network is now slightly easier.
Prior to this release, an unnecessary and deprecated version of Facter was shipped in the
puppetserverpackage. This has been removed.
Cert and CRL bundles no longer need to be in any specific order. By default, the leaf instances still come first, descending to the root, which are last. SERVER-2465
Puppet Server 6.4.0
Released 19 April 2019
This release adds a new API endpoint to
/puppet/v3/environment_transports. This endpoint lists all of the available network transports from modules and is for use with the Agentless Catalog Executor. SERVER-2467
Puppet Server 6.3.0
Released 26 March 2019
Puppet Server has a new endpoint for catalog retrieval, allowing more options than the previous endpoint. This endpoint is controlled by
tk-auth, and by default is not generally accessible. It is an API that integrators can use to provide functionality similar to
puppet server --compile. This endpoint is intended for use by other Puppet services. SERVER-2434
certificate_statusendpoint now returns additional information for custom integration. SERVER-2370
Puppet Server 6.2.1
Released 20 February 2019.
This release contains resolved issues.
Updated bouncy-castle to 1.60 to fix security issues. SERVER-2431
Puppet Server 6.2.0
Released 23 January 2019.
This release contains new features and resolved issues.
puppetserver catool now respects the
puppet.conffor those users that have created their own high availability configuration using that feature. SERVER-2392
The EZBake configs now allow you to specify
JAVA_ARGS_CLI, which is used when using
puppetserversubcommands to configure Java differently from what is needed for the service. This was used by the CLI before, but as an environment variable only, not as an EZBake config option. SERVER-2399
A dependency issue caused puppetserver 6.1.0 to fail with OpenJDK 11. This has been fixed and Puppet Server packages can now start under Java 11. SERVER-2404
Puppet Server 6.1.0
Released 18 December 2018
The CA service and the CA proxy service (in PE) now have their own entries in the status endpoint output and can be queried as "ca" and "ca-proxy" respectively. SERVER-2350
Puppet Server now creates a default
ca.conffile when installed, both in open source Puppet and Puppet Enterprise. CA settings such as
allow-subject-alt-namesshould be configured in the
certificate-authoritysection of this file. (SERVER-2372)
puppetserver ca generatecommand now has a flag
--ca-clientthat will generate a certificate offline -- not using the CA API -- that is authorized to talk to that API. This can be used to regenerate the primary server's host cert, or create certs for distribution to other CA nodes that need administrative access to the CA, such as the ability to sign and revoke certs. This command should only be used while Puppet Server is offline, to avoid conflicts with cert serials. (SERVER-2320)
The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled). (SERVER-2267
Puppet Server 6.1.0 upgrades to JRuby 126.96.36.199. This version implements the Ruby 2.5 interface. It is backwards compatible, but will issue a warning for Ruby language features that have been deprecated. The major warning that users will see is
warning: constant ::Fixnum is deprecated. Upgrading to this version of JRuby means that the Ruby interface has the same version as the Puppet agent. This version of JRuby is faster than previous versions under certain conditions. SERVER-2381
Puppet Server now has experimental support for Java 11 for users that run from source or build their own packages. This has been tested with low level tests but does not work when installed from official packages. Consequently, we consider this support "experimental", with full support coming later in 2019 for the latest long term supported version of Java. SERVER-2315.
puppetserver cacommand now provides useful errors on connection issues and returns debugging information. SERVER-2317
puppetserver catool now prefers the
puppet.conffor users that have created their own high availability configuration using this feature. SERVER-2392
puppetserver cacommand no longer has the wrong default value for the
$serversetting. Previously the
puppetserver catool defaulted to
$certnamewhen connecting to the server, while the agent defaulted to
puppetserver catool now has the same default for
$serveras the agent. It will also honor the settings within the agent section of the
Jetty no longer reports its version. TK-473
Puppet Server 6.0.0
Released 18 September 2018
This Puppet Server release provides a new workflow and API for certificate issuance. By default, the server now generates a root and intermediate signing CA cert, rather than signing everything off the root. If you have an external certificate authority, you can generate an intermediate signing CA from it instead, and a new
puppetserver ca subcommand puts everything into its proper place.
There is now a CLI command for setting up the certificate authority, called
puppetserver ca. (SERVER-2172)
For fresh installs, the Puppet primary server's cert is now authorized to connect to the
certificate_statusendpoint out of the box. This allows the new CA CLI tool to perform CA tasks via Puppet Server's CA API. (SERVER-2308) Note that upgrades will need to instead allow the primary server's cert for these endpoints.
Puppet Server now has a setting called
certificate-authoritysection of its config for enabling signing certs with authorization extensions. It is false by default. (SERVER-2290)
Puppet Server now has a setting called
certificate-authoritysection of its config for enabling signing certs with subject alternative names. It is false by default. (SERVER-2278)
puppetserver caCLI now has an
importsubcommand for installing key and certificate files that you generate, for example, when you have an external root CA that you need Puppet Server's PKI to chain to. (SERVER-2261)
We've added an infrastructure-only CRL in addition to the full CRL, that provides a list of certs that, when revoked, should be added to a separate CRL (useful for specifying special nodes in your infrastructure like compile servers). You can configure Whether this special CRL or the default CRL are distributed to agents. (SERVER-2231)
Puppet Server now bundles its
JRuby jarinside the main uberjar. This means the
JRUBY_JARsetting is no longer valid, and a warning will be issued if it is set. (SERVER-2157)
Puppet Server 6.0 uses JRuby 9K, which implements Ruby language version 2.3 Server-side gems that were installed manually with the
puppetserver gemcommand or using the
puppetserver_gempackage provider might need to be updated to work with JRuby 9K. Additionally, if
MaxMetaspacesizeparameters were set in
JAVA_ARGS, they might need to be adjusted for JRuby 9K.
The version of semantic_puppet has been updated in Puppet Server to ensure backwards compatibility in preparation for future major releases of Puppet Platform. (SERVER-2132)
Puppet Server 6.0 now uses JRuby 9k. This implements version 2.3 of the Ruby language. (SERVER-2095)
We've made server-side fixes for fully supporting intermediate CA capability. With this, CRL chains will be persisted when revoking certs. SERVER-2205
Ruby’s native methods for spawning processes cause a fork of the JVM on most Linux servers, which in a large production environment causes Out of Memory errors at the OS level. Puppet Server provides a lighter weight way of creating sub-processes with its built-in execution helper
Puppet::Util::Execution.execute when writing Ruby-based functions, custom report processors, Hiera backends and faces. When writing custom providers, use the commands helper to determine suitability.