Released 15 January 2019.
This release contains new features.
puppetserver catool now respects the
puppet.conffor those users that have created their own high availability configuration using that feature. SERVER-2392
JAVA_ARGS_CLI, which is used when using
puppetserversubcommands to configure Java differently from what is needed for the service. This was used by the CLI before, but as an environment variable only, not as an EZBake config option. SERVER-2399
Released 23 October 2018
Released 2 October 2018
Puppet Server now creates a default
ca.conf file when installed, both in open source Puppet and Puppet Enterprise. CA settings such as
allow-subject-alt-names should be configured in the
certificate-authority section of this file. (SERVER-2372)
puppetserver ca generate command now has a flag
--ca-client that will generate a certificate offline – not using the CA API – that is authorized to talk to that API. This can be used to regenerate the master’s host cert, or create certs for distribution to other CA nodes that need administrative access to the CA, such as the ability to sign and revoke certs. This command should only be used while Puppet Server is offline, to avoid conflicts with cert serials. (SERVER-2320)
The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled). (SERVER-2267
Released 18 September 2018
This Puppet Server release provides a new workflow and API for certificate issuance. By default, the server now generates a root and intermediate signing CA cert, rather than signing everything off the root. If you have an external certificate authority, you can generate an intermediate signing CA from it instead, and a new
puppetserver ca subcommand puts everything into its proper place.
For fresh installs, the Puppet master’s cert is now authorized to connect to the
certificate_status endpoint out of the box. This allows the new CA CLI tool to perform CA tasks via Puppet Server’s CA API. (SERVER-2308) Note that upgrades will need to instead whitelist the master’s cert for these endpoints, see Puppet Server: Subcommands#ca.
Puppet Server now has a setting called
allow-authorization-extensions in the
certificate-authority section of its config for enabling signing certs with authorization extensions. It is false by default. (SERVER-2290)
Puppet Server now has a setting called
allow-subject-alt-names in the
certificate-authority section of its config for enabling signing certs with subject alternative names. It is false by default. (SERVER-2278)
puppetserver ca CLI now has an
import subcommand for installing key and certificate files that you generate, for example, when you have an external root CA that you need Puppet Server’s PKI to chain to. (SERVER-2261)
We’ve added an infrastructure-only CRL in addition to the full CRL, that provides a list of certs that, when revoked, should be added to a separate CRL (useful for specifying special nodes in your infrastructure like compile masters). You can configure Whether this special CRL or the default CRL are distributed to agents. (SERVER-2231)
Puppet Server now bundles its
JRuby jar inside the main uberjar. This means the
JRUBY_JAR setting is no longer valid, and a warning will be issued if it is set.
Puppet Server 6.0 uses JRuby 9K, which implements Ruby language version 2.3 Server-side gems that were installed manually with the
puppetserver gem command or using the
puppetserver_gem package provider might need to be updated to work with JRuby 9K. Additionally, if
MaxMetaspacesize parameters were set in
JAVA_ARGS, they might need to be adjusted for JRuby 9K. See the known issues for more info.
The version of semantic_puppet has been updated in Puppet Server to ensure backwards compatibility in preparation for future major releases of Puppet Platform. (SERVER-2132)
Puppet Server 6.0 now uses JRuby 9k. This implements version 2.3 of the Ruby language. (SERVER-2095)