Puppet Server 7.2.0
Released June 2021 and shipped with Puppet 7.7.0.
The new API endpoint
PUT /puppet-ca/v1/certificate_revocation_listaccepts a list of CRL PEMs as a body and inserts updated copies of your CRLs into the trust chain. The CA updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts. You can use this endpoint if your organization's CRLs require frequent updates. You cannot use the endpoint to update the CRL associated with the Puppet CA signing certificate (only earlier ones in the certificate chain). SERVER-2550
The JRuby version is updated to 188.8.131.52. SERVER-3007
Previously, a security update to the apache HTTP client changed URL normalization, affecting any use of Puppet’s HTTP client within Puppet Server. SERVER-3014
Users of the environment and transport information endpoints received a 304 Not Modified response despite a cache bypass (and additional work on the server). SERVER-3015
Puppet Server 7.1.2
Released April 2021 and shipped with Puppet 7.6.1.
This release includes minor dependency updates, including an update to Jetty 9.4.40 to resolve security issues.
Puppet Server 7.1.0
Released March 2021 and shipped with Puppet 7.5.0.
Puppet Server now adds an extension for subject-alternative-name (SAN) when it signs incoming certificate signing requests (CSR). The SAN extension contains the common name (CN) as a dns-name on the certificate. If the CSR comes with its own SAN extension, Puppet Server signs it and ensures the SAN extension includes the CSR’s CN. SERVER-2338
The Jetty webserver now uses the local copy of the CRL from Puppet's SSL directory instead of the CA's copy. This fix makes it easier to set up compilers, which always have a disabled CA service and no CRL at the CA path. SERVER-2558
master-run-dirconfiguration settings have been deprecated in favor of
server-run-dirrespectively. The configuration files — which use the new settings — are shipped with the 7.1.0
puppetserverpackage. Note that the old settings are still honored for backwards compatibility, but we recommend you upgrade to the new settings. SERVER-2867
Puppet Server 7.0.3
Released February 2021 and shipped with Puppet 7.4.0.
This release updates dependencies to include security fixes.
Puppet Server 7.0.2
Released 20 January 2021 and shipped with Puppet 7.3.0.
The warning issued when the CA dir is inside the SSL dir now only prints server logs at startup and when using the
puppetserver caCLI, instead of any time a Puppet command is used. (SERVER-2934)
Puppet Server 7.0.1
Released December 2020 and shipped with Puppet 7.1.0.
The JRuby version has been bumped from 184.108.40.206 to 220.127.116.11. (SERVER-2925)
The CA command line tool now correctly honors the
serversections in the
When creating the symlink between the new and legacy cadirs the symlink will now be properly owned by the
Puppet Server 7.0.0
Released November 2020 and shipped with Puppet 7.0.0.
Puppet Server 7.0 is a major release. It breaks compatibility with agents prior to 4.0 and the legacy Puppet
auth.conf, moves the default location for the
cadir, and changes defaults for fact caching and cipher suites. See below for more details. Caution is advised when upgrading.
The default value for the
cadirsetting is now located at
/etc/puppetlabs/puppetserver/ca. Previously, the default location was inside Puppet's own
/etc/puppetlabs/puppet/ssl/ca. This change makes it safer to delete Puppet's
ssldirwithout accidentally deleting your CA certificates.
The puppetserver CA CLI now provides a
migratecommand to move the CA directory from the Puppet
confdirto the puppetserver
confdir. It leaves behind a symlink on the old CA location, pointing to the new location at
/etc/puppetlabs/puppetserver/ca. The symlink provides backwards compatibility for tools still expecting the
cadirto exist in the old location. In a future release, the
cadirsetting will be removed entirely. (SERVER-2896)
The default value for the facts cache is now JSON instead of YAML. You can re-enable the old YAML terminus in
Support for legacy Puppet
auth.confhas been removed and the
jruby-puppet.use-legacy-auth-confsetting no longer works. Use Puppet Server's
auth.conffile instead. (SERVER-2778)
Puppet Server no longer services requests for legacy (3.x) Puppet endpoints. Puppet Agents before 4.0 are no longer be able to check in. (SERVER-2791)
This release removes default support for many cipher suites when contacting Puppet Server. The new default supported cipher suites are:
TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This change aligns open source Puppet with Puppet Enterprise. Note that this change may break on old platforms. To re-enable older cipher suites you may edit the
webserver.conf. Valid cipher suite names are listed in the JDK Documentation. (SERVER-2913)
Puppet Server now provides an HTTP client whose API conforms to the HTTP client provided by Puppet. This new client is stored in the Puppet runtime as