Released 14 January 2020
When requesting that a certificate be signed, the
certificate-status API endpoint can now accept a TTL in its body under the key
cert_ttl, which determines the validity period of the cert being signed. The unit defaults to seconds, but you can specify the unit. See configuration for a list of Puppet’s accepted time unit markers. SERVER-2678
This release adds a new JRuby pool architecture that maintains a single JRuby instance through which requests to Puppet Server are run concurrently. In this mode, the server’s memory footprint is significantly lighter, because it no longer needs to run multiple JRuby instances. Toggle this behavior by setting the
Validation that Puppet’s Ruby code functions correctly in this environment is still in progress. This mode is highly experimental, and you may see unexpected behavior.
max-queued-requestssetting to be used safely with older agents. SERVER-2405
Released 19 November 2019
This version contains minor security fixes.
Released 15 October 2019
Released 1 October 2019
Released 17 September 2019
Puppet Server no longer hardcodes Java’s egd parameter. Users may manage the value via JAVA_ARGS or JAVA_ARGS_CLI in the defaults file. SERVER-2602
RedHat 7 FIPS mode packages are now available for
Puppet Server now lists plan content from your modules, just as it does task content. SERVER-2543
You can now enable sending a list of all the Hiera keys looked up during compile to PuppetDB, via the
jruby-puppet.track-lookups setting in
puppetserver.conf. This is currently only used by CD4PE. SERVER-2538
/puppet-admin-api/v1/jruby-pool/thread-dump endpoint, which returns a thread dump of running JRuby instances, if
jruby.management.enabled has been set to
true in the JVM running Puppet Server. See Admin API: JRuby Pool for details. SERVER-2193
Puppet Server now runs with JRuby 18.104.22.168. SERVER-2388
puppetserver ca import command now initializes an empty CRL for the intermediate CA if one is not provided in the
crl-chain file. SERVER-2522
facter.jar, provided by the
puppet-agentpackage, to the classpath when starting Puppet Server with Java. SERVER-2423
-Puppet Server’s CA can now handle keys in the PKCS#8 format, which is required when running in FIPS mode. SERVER-2019
Released 22 July 2019
cipher-suitessetting in the webserver section of
webserver.confhas been updated. Previously, the defaults included 11 cipher suites, including 4
TLS_RSA_*cipher suites. Now the defaults include all cipher suites usable on a RHEL 7 FIPS-enabled server, our target platform for FIPS certification, except for
TLS_RSA_*ciphers. Additionally, Puppet Server emits warnings if any
TLS_RSA_*ciphers are explicitly enabled in the
To avoid potentially breaking clients that can use only
TLS_RSA_* ciphers, the
webserver.conf file now includes an explicit
cipher-suites setting that adds the previously enabled
TLS_RSA_* ciphers to the new implicit
cipher-suites setting. This has three effects:
TLS_RSA_*ciphers will continue to work.
TLS_RSA_*ciphers are enabled.
cipher-suitessetting are not available on that specific OS. These warnings can be safely silenced by editing the
cipher-suitessetting and removing the unavailable ciphers.
A future version of Puppet Server will remove the
cipher-suites setting in
webserver.conf. This will break any clients that still require the
In advance of this change, update any clients that still require the
TLS_RSA_* ciphers to clients that can use more recent ciphers, and remove the
cipher-suites setting in
This update also removes the
so-linger-seconds configuration setting. This setting is now ignored and a warning is issued if it is set. See Jetty’s so-linger-seconds for removal details.
See SERVER-2576 for further details.
You can now specify a
--certname flag with the
puppetserver ca list command, which limits the output to information about the requested cert and logs an error if the requested cert does not exist in any form. SERVER-2589
In this release, performance in
puppetserver commands is improved. Running
puppetserver irb, and other Puppet Server CLI commands are 15-30 percent faster to start up. Service starting and reloading should see similar improvements, along with some marginal improvements to top-end performance, especially in environments with limited sources of entropy.
Building Puppet Server outside our network is now slightly easier.
Prior to this release, an unnecessary and deprecated version of Facter was shipped in the
puppetserver package. This has been removed.
Cert and CRL bundles no longer need to be in any specific order. By default, the leaf instances still come first, descending to the root, which are last. SERVER-2465
Released 19 April 2019
/puppet/v3/environment_transports. This endpoint lists all of the available network transports from modules and is for use with the Agentless Catalog Executor. SERVER-2467
Released 26 March 2019
tk-auth, and by default is not generally accessible. It is an API that integrators can use to provide functionality similar to
puppet master --compile. For details on the API, see the Puppet API catalog. This endpoint is intended for use by other Puppet services. SERVER-2434
certificate_statusendpoint now returns additional information for custom integration. SERVER-2370
Released 20 February 2019.
This release contains resolved issues.
Released 23 January 2019.
This release contains new features and resolved issues.
puppetserver ca tool now respects the
server_list setting in
puppet.conf for those users that have created their own high availability configuration using that feature. SERVER-2392
The EZBake configs now allow you to specify
JAVA_ARGS_CLI, which is used when using
puppetserver subcommands to configure Java differently from what is needed for the service. This was used by the CLI before, but as an environment variable only, not as an EZBake config option. SERVER-2399
Released 18 December 2018
The CA service and the CA proxy service (in PE) now have their own entries in the status endpoint output and can be queried as “ca” and “ca-proxy” respectively. SERVER-2350
Puppet Server now creates a default
ca.conf file when installed, both in open source Puppet and Puppet Enterprise. CA settings such as
allow-subject-alt-names should be configured in the
certificate-authority section of this file. (SERVER-2372)
puppetserver ca generate command now has a flag
--ca-client that will generate a certificate offline – not using the CA API – that is authorized to talk to that API. This can be used to regenerate the master’s host cert, or create certs for distribution to other CA nodes that need administrative access to the CA, such as the ability to sign and revoke certs. This command should only be used while Puppet Server is offline, to avoid conflicts with cert serials. (SERVER-2320)
The Puppet Server CA can now sign certificates with IP alt names in addition to DNS alt names (if signing certs with alt names is enabled). (SERVER-2267
Puppet Server 6.1.0 upgrades to JRuby 22.214.171.124. This version implements the Ruby 2.5 interface. It is backwards compatible, but will issue a warning for Ruby language features that have been deprecated. The major warning that users will see is
warning: constant ::Fixnum is deprecated. Upgrading to this version of JRuby means that the Ruby interface has the same version as the Puppet agent. This version of JRuby is faster than previous versions under certain conditions. SERVER-2381
Puppet Server now has experimental support for Java 11 for users that run from source or build their own packages. This has been tested with low level tests but does not work when installed from official packages. Consequently, we consider this support “experimental”, with full support coming later in 2019 for the latest long term supported version of Java. SERVER-2315.
puppetserver ca command now provides useful errors on connection issues and returns debugging information. SERVER-2317
puppetserver ca tool now prefers the
server_list setting in
puppet.conf for users that have created their own high availability configuration using this feature. SERVER-2392
puppetserver cacommand no longer has the wrong default value for the
$serversetting. Previously the
puppetserver catool defaulted to
$certnamewhen connecting to the server, while the agent defaulted to
puppetserver catool now has the same default for
$serveras the agent. It will also honor the settings within the agent section of the
Released 18 September 2018
This Puppet Server release provides a new workflow and API for certificate issuance. By default, the server now generates a root and intermediate signing CA cert, rather than signing everything off the root. If you have an external certificate authority, you can generate an intermediate signing CA from it instead, and a new
puppetserver ca subcommand puts everything into its proper place.
For fresh installs, the Puppet master’s cert is now authorized to connect to the
certificate_status endpoint out of the box. This allows the new CA CLI tool to perform CA tasks via Puppet Server’s CA API. (SERVER-2308) Note that upgrades will need to instead whitelist the master’s cert for these endpoints, see Puppet Server: Subcommands#ca.
Puppet Server now has a setting called
allow-authorization-extensions in the
certificate-authority section of its config for enabling signing certs with authorization extensions. It is false by default. (SERVER-2290)
Puppet Server now has a setting called
allow-subject-alt-names in the
certificate-authority section of its config for enabling signing certs with subject alternative names. It is false by default. (SERVER-2278)
puppetserver ca CLI now has an
import subcommand for installing key and certificate files that you generate, for example, when you have an external root CA that you need Puppet Server’s PKI to chain to. (SERVER-2261)
We’ve added an infrastructure-only CRL in addition to the full CRL, that provides a list of certs that, when revoked, should be added to a separate CRL (useful for specifying special nodes in your infrastructure like compile masters). You can configure Whether this special CRL or the default CRL are distributed to agents. (SERVER-2231)
Puppet Server now bundles its
JRuby jar inside the main uberjar. This means the
JRUBY_JAR setting is no longer valid, and a warning will be issued if it is set.
Puppet Server 6.0 uses JRuby 9K, which implements Ruby language version 2.3 Server-side gems that were installed manually with the
puppetserver gem command or using the
puppetserver_gem package provider might need to be updated to work with JRuby 9K. Additionally, if
MaxMetaspacesize parameters were set in
JAVA_ARGS, they might need to be adjusted for JRuby 9K. See the known issues for more info.
The version of semantic_puppet has been updated in Puppet Server to ensure backwards compatibility in preparation for future major releases of Puppet Platform. (SERVER-2132)
Puppet Server 6.0 now uses JRuby 9k. This implements version 2.3 of the Ruby language. (SERVER-2095)
Ruby’s native methods for spawning processes cause a fork of the JVM on most Linux servers, which in a large production environment causes Out of Memory errors at the OS level. Puppet Server provides a lighter weight way of creating sub-processes with its built-in execution helper
Puppet::Util::Execution.execute when writing Ruby-based functions, custom report processors, Hiera backends and faces. When writing custom providers, use the commands helper to determine suitability.