Puppet Server: Release Notes

This version is out of date. For current versions, see Puppet packages and versions.
Sections

Puppet Server 6.3.3

Released 14 January 2020

New features

  • When requesting that a certificate be signed, the certificate-status API endpoint can now accept a TTL in its body under the key cert_ttl, which determines the validity period of the cert being signed. The unit defaults to seconds, but you can specify the unit. See configuration for a list of Puppet’s accepted time unit markers. SERVER-2678

Resolved issues

  • Puppet Server no longer issues HTTP 503 responses to agents older than Puppet 5.3, which can’t react to these responses. This allows the max-queued-requests setting to be used safely with older agents. SERVER-2405

Puppet Server 6.3.2

Released 15 October 2019

New features

Puppet Server’s CA API now synchronizes write access to the CRL, so that each revoke request updates the CRL in succession, instead of concurrently. This prevents corruption of the CRL due to competing requests.

This does not affect the puppet cert command. If you use puppet cert revoke at the same time as a revocation request via the API, the CRL is updated simultaneously and could be corrupted.

To minimize this risk, use the puppetserver ca command line tool – which uses the CA API – whenever possible. SERVER-2641

Bug fixes

  • The Puppet Server CA CLI now correctly uses hex serial numbers for certs. SERVER-2603

  • The puppetserver ca import command now initializes an empty CRL for the intermediate CA if one is not provided in the crl-chain file. SERVER-2522

  • You can now specify a --certname flag with the puppetserver ca list command, which will limit the output to information about the requested cert, and log an error if the requested cert does not exist in any form. SERVER-2589

  • Timing metrics associated with borrowing a JRuby instance now include why that JRuby instance was borrowed and access logs now include the time spent in JRuby. SERVER-1975 & SERVER-2198 respectively.

Puppet Server 6.3.1

Released 16 July 2019

Bug fixes

  • In this release, performance in puppetserver commands is improved. Running puppetserver gem, puppetserver irb, and other Puppet Server CLI commands are 15-30 percent faster to start up. Service starting and reloading should see similar improvements, along with some marginal improvements to top-end performance, especially in environments with limited sources of entropy.

  • Building Puppet Server outside our network is now slightly easier.

  • Prior to this release, an unnecessary and deprecated version of Facter was shipped in the puppetserver package. This has been removed.

  • Cert and CRL bundles no longer need to be in any specific order. By default, the leaf instances still come first, descending to the root, which are last. SERVER-2465

Puppet Server 6.3.0

Released 26 March 2019

New features

  • Puppet Server has a new endpoint for catalog retrieval, allowing more options than the previous endpoint. This endpoint is controlled by tk-auth, and by default is not generally accessible. It is an API that integrators can use to provide functionality similar to puppet master --compile. For details on the API, see the Puppet API catalog. This endpoint is intended for use by other Puppet services. SERVER-2434

Enhancements

  • The CA’s certificate_status endpoint now returns additional information for custom integration. SERVER-2370

Puppet Server 6.2.1

Released 20 February 2019.

This release contains resolved issues.

Resolved issues

  • This release upgrades Bouncy Castle to version 1.60 for security updates.

Puppet Server 6.2.0

Released 23 January 2019.

This release contains new features and resolved issues.

### New features

  • The EZBake configs now allow you to specify JAVA_ARGS_CLI, which is used when using puppetserver subcommands to configure Java differently from what is needed for the service. This was used by the CLI before, but as an environment variable only, not as an EZBake config option. SERVER-2399

### Resolved issues

  • A dependency issue caused puppetserver 6.1.0 to fail with OpenJDK 11. This has been fixed and Puppet Server packages can now start under Java 11. SERVER-2404

Puppet Server 6.1.0

Released 18 December 2018

Enhancements

  • Puppet Server 6.1.0 upgrades to JRuby 9.2.0.0. This version implements the Ruby 2.5 interface. It is backwards compatible, but will issue a warning for Ruby language features that have been deprecated. The major warning that users will see is warning: constant ::Fixnum is deprecated. Upgrading to this version of JRuby means that the Ruby interface has the same version as the Puppet agent. This version of JRuby is faster than previous versions under certain conditions. SERVER-2381
  • Puppet Server now has experimental support for Java 11 for users that run from source or build their own packages. This has been tested with low level tests but does not work when installed from official packages. Consequently, we consider this support “experimental”, with full support coming later in 2019 for the latest long term supported version of Java. SERVER-2315.
  • The puppetserver ca command now provides useful errors on connection issues and returns debugging information. SERVER-2317
  • The puppetserver ca tool now prefers the server_list setting in puppet.conf for users that have created their own high availability configuration using this feature. SERVER-2392

Resolved issues

  • The puppetserver ca command no longer has the wrong default value for the $server setting. Previously the puppetserver ca tool defaulted to $certname when connecting to the server, while the agent defaulted to puppet. The puppetserver ca tool now has the same default for $server as the agent. It will also honor the settings within the agent section of the puppet.conf file. SERVER-2354
  • Jetty no longer reports its version. TK-473

Puppet Server 6.0.5

Released 16 July 2019

Bug fixes

  • In this release, performance in puppetserver commands is improved. Running puppetserver gem, puppetserver irb, and other Puppet Server CLI commands are 15-30 percent faster to start up. Service starting and reloading should see similar improvements, along with some marginal improvements to top-end performance, especially in environments with limited sources of entropy.

  • Building Puppet Server outside our network is now slightly easier.

  • Prior to this release, an unnecessary and deprecated version of Facter was shipped in the puppetserver package. This has been removed.

  • Cert and CRL bundles no longer need to be in any specific order. By default, the leaf instances still come first, descending to the root, which are last. SERVER-2465

Puppet Server 6.0.4

Released 26 March 2019

Bug fixes

  • Updated bouncy-castle to 1.60 to fix security issues. SERVER-2431

Puppet Server 6.0.3

Released 15 January 2019.

This release contains new features.

New Features

  • The puppetserver ca tool now respects the server_list setting in puppet.conf for those users that have created their own high availability configuration using that feature. SERVER-2392
  • The EZBake configs now allow you to specify JAVA_ARGS_CLI, which is used when using puppetserver subcommands to configure Java differently from what is needed for the service. This was used by the CLI before, but as an environment variable only, not as an EZBake config option. SERVER-2399

Puppet Server 6.0.2

Released 23 October 2018

New features

  • The CA service and the CA proxy service (in PE) now have their own entries in the status endpoint output and can be queried as “ca” and “ca-proxy” respectively. SERVER-2350

Puppet Server 6.0.1

Released 2 October 2018

New features

  • Puppet Server now creates a default ca.conf file when installed, both in open source Puppet and Puppet Enterprise. CA settings such as allow-subject-alt-names should be configured in the certificate-authority section of this file. (SERVER-2372)

  • The puppetserver ca generate command now has a flag --ca-client that will generate a certificate offline – not using the CA API – that is authorized to talk to that API. This can be used to regenerate the master’s host cert, or create certs for distribution to other CA nodes that need administrative access to the CA, such as the ability to sign and revoke certs. This command should only be used while Puppet Server is offline, to avoid conflicts with cert serials. (SERVER-2320)

  • The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled). (SERVER-2267

Puppet Server 6.0.0

Released 18 September 2018

This Puppet Server release provides a new workflow and API for certificate issuance. By default, the server now generates a root and intermediate signing CA cert, rather than signing everything off the root. If you have an external certificate authority, you can generate an intermediate signing CA from it instead, and a new puppetserver ca subcommand puts everything into its proper place.

New features

  • There is now a CLI command for setting up the certificate authority, called puppetserver ca. See Puppet Server: Subcommands for more information. (SERVER-2172)

  • For fresh installs, the Puppet master’s cert is now authorized to connect to the certificate_status endpoint out of the box. This allows the new CA CLI tool to perform CA tasks via Puppet Server’s CA API. (SERVER-2308) Note that upgrades will need to instead whitelist the master’s cert for these endpoints, see Puppet Server: Subcommands#ca.

  • Puppet Server now has a setting called allow-authorization-extensions in the certificate-authority section of its config for enabling signing certs with authorization extensions. It is false by default. (SERVER-2290)

  • Puppet Server now has a setting called allow-subject-alt-names in the certificate-authority section of its config for enabling signing certs with subject alternative names. It is false by default. (SERVER-2278)

  • The puppetserver ca CLI now has an import subcommand for installing key and certificate files that you generate, for example, when you have an external root CA that you need Puppet Server’s PKI to chain to. (SERVER-2261)

  • We’ve added an infrastructure-only CRL in addition to the full CRL, that provides a list of certs that, when revoked, should be added to a separate CRL (useful for specifying special nodes in your infrastructure like compile masters). You can configure Whether this special CRL or the default CRL are distributed to agents. (SERVER-2231)

  • Puppet Server now bundles its JRuby jar inside the main uberjar. This means the JRUBY_JAR setting is no longer valid, and a warning will be issued if it is set. (SERVER-2157)

  • Puppet Server 6.0 uses JRuby 9K, which implements Ruby language version 2.3 Server-side gems that were installed manually with the puppetserver gem command or using the puppetserver_gem package provider might need to be updated to work with JRuby 9K. Additionally, if ReservedCodeCache or MaxMetaspacesize parameters were set in JAVA_ARGS, they might need to be adjusted for JRuby 9K. See the known issues for more info.

  • The version of semantic_puppet has been updated in Puppet Server to ensure backwards compatibility in preparation for future major releases of Puppet Platform. (SERVER-2132)

  • Puppet Server 6.0 now uses JRuby 9k. This implements version 2.3 of the Ruby language. (SERVER-2095)

Resolved issues

  • We’ve made server-side fixes for fully supporting intermediate CA capability. With this, CRL chains will be persisted when revoking certs. SERVER-2205 For more details on the intermediate CA support in Puppet 6, see Puppet Server: Intermediate CA.

Known issues

Ruby’s native methods for spawning processes cause a fork of the JVM on most Linux servers, which in a large production environment causes Out of Memory errors at the OS level. Puppet Server provides a lighter weight way of creating sub-processes with its built-in execution helper Puppet::Util::Execution.execute. Use Puppet::Util::Execution.execute when writing Ruby-based functions, custom report processors, Hiera backends and faces. When writing custom providers, use the commands helper to determine suitability.

See an issue? Please file a JIRA ticket in our [DOCUMENTATION] project
Puppet sites use proprietary and third-party cookies. By using our sites, you agree to our cookie policy.