Puppet Server release notes

• The CA API accepts CRL updates. You can now update your CRLs using the new API endpoint: PUT /puppet-ca/v1/certificate_revocation_list. This new endpoint accepts a list of CRL PEMs as a body, inserting updated copies of the applicable CRLs into the trust chain. The CA updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts. You can use this endpoint if your CRLs require frequent updates. Do not use the endpoint to update the CRL associated with the Puppet CA signing certificate (only earlier ones in the certificate chain). SERVER-2550

• JRuby 9.2.17.0. In this release, the JRuby version is updated to 9.2.17.0. SERVER-3007

• New apache HTTP client broke URL normalization. A security update to the apache HTTP client introduced an unrelated change to URL normalization. This change affected any use of Puppet’s HTTP client within Puppet Server. In this release, the double slash in a URL path is no longer silently ignored by the HTTP client in Puppet Server. Instead, Puppet Server views it as a different URL and returns a 404. Going forward, remove leading double slashes from URLs. SERVER-3014

• Environment endpoint failed to cache data if given valid etag. Previously, if you used the environment and transport info endpoints, then you might have seen the cache bypassed—despite receiving a 304 Not Modified response. To work around this issue, users must submit a request to the environment_classes endpoint without the etag. This request triggers the correct caching behavior. Note that the console (the consumer of the environment_classes endpoint in PE) must always submit an etag for an environment if it has one. SERVER-3015

• Puppet Server now adds an extension for subject-alternative-name (SAN) when it signs incoming certificate signing requests (CSR). The SAN extension contains the common name (CN) as a dns-name on the certificate. If the CSR comes with its own SAN extension, Puppet Server signs it and ensures the SAN extension includes the CSR’s CN. SERVER-2338

• The Jetty webserver now uses the local copy of the CRL from Puppet's SSL directory instead of the CA's copy. This fix makes it easier to set up compilers, which always have a disabled CA service and no CRL at the CA path. SERVER-2558

• The master-conf-dir, master-code-dir, master-var-dir, master-log-dir, and master-run-dir configuration settings have been deprecated in favor of server-conf-dir, server-code-dir, server-var-dir, server-log-dir, and server-run-dir respectively. The configuration files — which use the new settings — are shipped with the 7.1.0 puppetserver package. Note that the old settings are still honored for backwards compatibility, but we recommend you upgrade to the new settings. SERVER-2867

• The warning issued when the CA dir is inside the SSL dir now only prints server logs at startup and when using the puppetserver ca CLI, instead of any time a Puppet command is used. (SERVER-2934)

Released December 2020 and shipped with Puppet 7.1.0.

• The JRuby version has been bumped from 9.2.13.0 to 9.2.14.0. (SERVER-2925)

• The CA command line tool now correctly honors the server sections in the puppet.conf.

• When creating the symlink between the new and legacy cadirs the symlink will now be properly owned by the puppet user. (SERVER-2917)

• The default value for the cadir setting is now located at /etc/puppetlabs/puppetserver/ca. Previously, the default location was inside Puppet's own ssldir at /etc/puppetlabs/puppet/ssl/ca. This change makes it safer to delete Puppet'sssldir without accidentally deleting your CA certificates.

• The puppetserver CA CLI now provides a migrate command to move the CA directory from the Puppet confdir to the puppetserver confdir. It leaves behind a symlink on the old CA location, pointing to the new location at /etc/puppetlabs/puppetserver/ca. The symlink provides backwards compatibility for tools still expecting the cadir to exist in the old location. In a future release, the cadir setting will be removed entirely. (SERVER-2896)

• The default value for the facts cache is now JSON instead of YAML. You can re-enable the old YAML terminus in routes.yaml. (PUP-10656)

• Support for legacy Puppet auth.conf has been removed and the jruby-puppet.use-legacy-auth-conf setting no longer works. Use Puppet Server's auth.conf file instead. (SERVER-2778)

• Puppet Server no longer services requests for legacy (3.x) Puppet endpoints. Puppet Agents before 4.0 are no longer be able to check in. (SERVER-2791)

• This release removes default support for many cipher suites when contacting Puppet Server. The new default supported cipher suites are: TLS_DHE_RSA_WITH_AES_128_GCM_SHA256, TLS_DHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, and TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384. This change aligns open source Puppet with Puppet Enterprise. Note that this change may break on old platforms. To re-enable older cipher suites you may edit the webserver.conf. Valid cipher suite names are listed in the JDK Documentation. (SERVER-2913)

• Puppet Server now provides an HTTP client whose API conforms to the HTTP client provided by Puppet. This new client is stored in the Puppet runtime as Puppet.runtime[:http]. (SERVER-2780)