Puppet Server release notes
Puppet Server 7.11.0
Released April 2023 and shipped with Puppet 7.24.0.
Enhancements
Update Puppet Server CA CLI gem to 2.5.0. The included Puppet Server CA CLI gem, which adds the ability to remove expired or arbitrary certs using the prune
action, and the ability to remove expired, arbitrary, or all certs from the signed directory using the delete
action.
Resolved issues
Puppet Server dependency update improvements. Updating Puppet Server dependencies now provides better errors when given config files with invalid extensions, no longer crashes in rare cases when eceiving SIGHUP, and warns in the log file when unable to check for updates.
Puppet Server 7.10.0
This version was never released.
Puppet Server 7.9.5
Released February 2023 and shipped with Puppet 7.23.0.
No release notes.
Puppet Server 7.9.4
This version was never released.
Puppet Server 7.9.3
Released December 2022 and shipped with Puppet 7.21.0.
No release notes.
Puppet Server 7.9.2
Released October 2022 and shipped with Puppet 7.20.0.
No release notes.
Puppet Server 7.9.1
Released September 2022 and shipped with Puppet 7.19.0.
Enhancements
Update dropsonde to 0.0.8. The included Dropsonde gem has been upgraded to 0.0.8, which adds the ability to list unused modules to the telemetry client report generator. Visit https://dev.to/puppet/cleaning-up-unused-modules-with-dropsonde-44a5 for more information. SERVER-3220
Puppet Server 7.9.0
Released August 2022 and shipped with Puppet 7.18.0.
Resolved issues
Upgrade JRuby to 9.3.4.0. Puppet Server now uses JRuby 9.3.4.0. SERVER-3133
Puppet Server 7.8.0
Released May 2022 and shipped with Puppet 7.17.0.
Enhancements
Make Puppet Server http client respect include_system_store
option. Puppet Server's Ruby HTTP client now supports loading certificates from the system trust store that is included with Puppet Agent, as well as loading certs from a file or Java cert store at an arbitrary location via the ssl_trust_store
setting. SERVER-2944
Resolved issues
RPM should create puppet
user with UID/GID 52. When the puppet
user and group are created on rpm-based systems, they are now assigned a static UID/GID of 52. SERVER-1381
Puppet Server 7.7.0
Released April 2022 and shipped with Puppet 7.16.0.
Enhancements
Change Dropsonde telemetry to Opt-out. Metrics will now be collected with Dropsonde by default. To opt out of metrics collection, configure dropsonde: { enabled: false }
in puppetserver.conf
. By default, Dropsonde collects metrics when the service is started, and once a week thereafter. SERVER-3170
Enable sles-15-x86_64 builds and testing for puppetserver
. We now support puppetserver
on sles-15-x86_64. SERVER-3156
Puppet Server 7.6.1
Released March 2022 and shipped with Puppet 7.15.0.
Enhancements
Bump BouncyCastle to 1.70. Puppet Server now ships with Bouncy Castle 1.70, which has improved TLS 1.3 support. SERVER-3135
Rocky and Alma support. Puppet Server is now being tested on Rocky and Alma Linux. Use the EL8 packages on these operating systems. SERVER-3099
JRuby pool lock lifecycle logging. The JRuby lock lifecycle of request, acquire, and release is now logged at the INFO level, rather than DEBUG. SERVER-3098
Resolved issues
Bad exit code for errors in puppetserver ca list
. The puppetserver ca list
command will now exit 1 when run on a non-CA server. SERVER-2797
Puppet Server CA always creates type 1 authority key identifiers. Previously, Puppet Server would always compute a type 1 key identifier based on the public key of the certificate authority. This is incompatible in situations where Puppet Server imports pre-made certificates that use a type 2 key identifier.
Now, Puppet Server will copy the subject key identifier from the ca certificate instead of computing a type 1 key identifier. This will allow for type 2 identifiers and future key types on the CA. With this change, Puppet Server can now use an intermediate certificate authority signed by HashiCorp’s Vault or AWS ACM. SERVER-2662
Puppet Server 7.6.0
Released January 2022 and shipped with Puppet 7.14.0.
Enhancements
Debian support. Puppet Server is now packaged for Debian 11. It requires Java 11 to be installed. SERVER-3137
Resolved issues
CA Authority Key Identifier incorrectly filled with issuer
instead of keyid
. The self-signed CA signing cert generated by starting puppetserver will now use a keyid
for its authority key identifier to match the CA chain generated by puppetserver ca setup
. SERVER-3114
CA added a Subject Alternative Name extension to CA certs The CA signing cert no longer has subject alternative names added to it, since they are not meaningful. SERVER-3114
Puppet Server 7.5.0
Released December 2021 and shipped with Puppet 7.13.1.
Enhancements
Metrics collection with Dropsonde. Users can now enable module metrics collection via Dropsonde. To turn this on, configure dropsonde: { enabled: true }
in puppetserver.conf
. By default when enabled, Dropsonde collects metrics when the service is started and once a week thereafter. SERVER-3079
Resolved issues
CRL uploading. The CRL update endpoint will now issue a meaningful error message when a CRL without an authority key identifier is sent in the request body. SERVER-3080
Deprecations
el6 support. Removed support for el6 as a server platform.
Puppet Server 7.4.2
Released November 2021 and shipped with Puppet 7.12.1.
This release includes security fixes. For the latest features, see the release notes for Server 7.4.1
Puppet Server 7.4.1
Released October 2021 and shipped with Puppet 7.12.0.
Enhancements
Retrieve facts from any terminus. The v4 catalog endpoint (used by Impact Analysis) now supports retrieving facts from any facts terminus, if none are provided with the request. SERVER-3050
Puppet Server 7.4.0
Released September 2021 and shipped with Puppet 7.11.0.
Enhancements
TLS 1.3 support. Puppet Server now supports TLS 1.3 and associated cipher suites by default. SERVER-3076
Improved performance in list
command. Puppetserver CA CLI command list
utilizes the updated certificate_status
endpoint for a faster performance when listing certificate requests. SERVER-3060
--force
flag in certificate generation. The puppetserver ca generate --ca-client
command can now take a --force
flag, which forces the tool to generate the certificate even if it cannot determine whether Puppet Server is offline. To avoid CA corruption, ensure your server is offline before you use this flag. SERVER-2842
Puppet Server 7.3.0
Released August 2021 and shipped with Puppet 7.10.0.
Enhancements
Prune duplicate entries from CRL. In this release, the puppetserver ca
subcommand now accepts the prune
actions. These actions allow you to prune any duplicate certificates from Puppet’s CRL. SERVER-2740
CRL query speed. Querying CRLs from puppetserver
is now faster, resulting in fewer timeouts. SERVER-3020
Scripts as a default mount. Puppet Server has a new default mount named scripts
. You can use the new default mount with API endpoints such as file_content
, file_metadata
, and static_file_content
to load scripts from the scripts/
directory of a module. SERVER-3058
Resolved issues
Duplicate entries in CRL. Puppet CA no longer allows adding duplicate certificates to the CRL. SERVER-2509
Puppet Server 7.2.1
Released July 2021 and shipped with Puppet 7.9.0.
Enhancements
Add new flag. In this release, the
puppetserver ca
subcommand now accepts the--verbose
flag. If the--verbose
flag is passed, it displays additional low-level details about the invoked action (such as details about HTTP requests created by the tool). SERVER-2251Specify certificate output in JSON. In this release, the
puppetserver ca list
action now accepts a--format
flag that can be used to display certificates in JSON format. The output format istext
by default. SERVER-3006Jetty 9.4.42. This release includes a Jetty update to 9.4.42. SERVER-3035
Resolved issues
CRL update endpoint is not enabled by default. The
PUT /puppet-ca/v1/certificate_revocation_list
endpoint is now enabled by default for clients that have a special cert extension. Previously, you had to manually update theauth.conf
file to access this endpoint. SERVER-3033Puppet Server cannot use OpenSSL EC files in OpenSSL format. Previously, Puppet Server failed to load private key PEM files that include separate blocks for EC parameters (such as files output by OpenSSL’s EC key gen commands). This issue is now fixed. SERVER-3016
A command errors because of the subject alternative name. The
puppetserver ca generate
command no longer errors whenallow-subject-alt-names
is set to false. SERVER-3032
Puppet Server 7.2.0
Released May 2021 and shipped with Puppet 7.7.0 and Puppet 7.8.0.
New Features
The CA API accepts CRL updates. You can now update your CRLs using the new API endpoint:
PUT /puppet-ca/v1/certificate_revocation_list
. This new endpoint accepts a list of CRL PEMs as a body, inserting updated copies of the applicable CRLs into the trust chain. The CA updates the matching CRLs saved on disk if the submitted ones have a higher CRL number than their counterparts. You can use this endpoint if your CRLs require frequent updates. Do not use the endpoint to update the CRL associated with the Puppet CA signing certificate (only earlier ones in the certificate chain). SERVER-2550
Enhancements
JRuby 9.2.17.0. In this release, the JRuby version is updated to 9.2.17.0. SERVER-3007
Resolved issues
New apache HTTP client broke URL normalization. A security update to the apache HTTP client introduced an unrelated change to URL normalization. This change affected any use of Puppet’s HTTP client within Puppet Server. In this release, the double slash in a URL path is no longer silently ignored by the HTTP client in Puppet Server. Instead, Puppet Server views it as a different URL and returns a 404. Going forward, remove leading double slashes from URLs. SERVER-3014
Environment endpoint failed to cache data if given valid etag. Previously, if you used the environment and transport info endpoints, then you might have seen the cache bypassed—despite receiving a 304 Not Modified response. To work around this issue, users must submit a request to the
environment_classes
endpoint without the etag. This request triggers the correct caching behavior. Note that the console (the consumer of theenvironment_classes
endpoint in PE) must always submit an etag for an environment if it has one. SERVER-3015
Puppet Server 7.1.2
Released April 2021 and shipped with Puppet 7.6.1.
This release includes minor dependency updates, including an update to Jetty 9.4.40 to resolve security issues.
Puppet Server 7.1.0
Released March 2021 and shipped with Puppet 7.5.0.
Enhancements
Puppet Server adds SAN when signing CSR. Puppet Server now adds an extension for subject-alternative-name (SAN) when it signs incoming certificate signing requests (CSR). The SAN extension contains the common name (CN) as a dns-name on the certificate. If the CSR comes with its own SAN extension, Puppet Server signs it and ensures the SAN extension includes the CSR’s CN. SERVER-2338
Resolved issues
Attempts to start a compile master failed with a CRL error. The Jetty webserver now uses the local copy of the CRL from Puppet's SSL directory instead of the CA's copy. This fix makes it easier to set up compilers, which always have a disabled CA service and no CRL at the CA path. SERVER-2558
Deprecations
Puppet Server's updated configuration values. The
master-conf-dir
,master-code-dir
,master-var-dir
,master-log-dir
, andmaster-run-dir
configuration settings have been deprecated in favor ofserver-conf-dir
,server-code-dir
,server-var-dir
,server-log-dir
, andserver-run-dir
respectively. The configuration files — which use the new settings — are shipped with the 7.1.0puppetserver
package. Note that the old settings are still honored for backwards compatibility, but we recommend you upgrade to the new settings. SERVER-2867
Puppet Server 7.0.3
Released February 2021 and shipped with Puppet 7.4.0.
This release updates dependencies to include security fixes.
Puppet Server 7.0.2
Released January 2021 and shipped with Puppet 7.3.0.
Resolved issues
Puppet Server failed to issue a warning for the applicable behavior. The warning issued when the CA directory is inside the SSL directory now only prints server logs at startup and when using the
puppetserver ca
CLI, instead of any time a Puppet command is used. (SERVER-2934)
Puppet Server 7.0.1
Released December 2020 and shipped with Puppet 7.1.0.
Enhancements
JRuby 9.2.14.0. The JRuby version has been bumped from 9.2.13.0 to 9.2.14.0. (SERVER-2925)
Symlink from the previous cadir has the same permissions as the current cadir. When creating the symlink between the new and legacy cadirs the symlink will now be properly owned by the
puppet
user. (SERVER-2917)
Resolved issues
CA command line tool failed to honor a section in Puppet's configuration file. The CA command line tool now correctly honors the
server
sections in thepuppet.conf
.
Puppet Server 7.0.0
Released November 2020 and shipped with Puppet 7.0.0.
Puppet Server 7.0 is a major release. It breaks compatibility with agents prior to 4.0 and the legacy Puppet auth.conf
, moves the default location for the cadir
, and changes defaults for fact caching and cipher suites. See below for more details. Caution is advised when upgrading.
New features
The default value for the
cadir
setting is now located at/etc/puppetlabs/puppetserver/ca
. Previously, the default location was inside Puppet's ownssldir
at/etc/puppetlabs/puppet/ssl/ca
. This change makes it safer to delete Puppet'sssldir
without accidentally deleting your CA certificates.The puppetserver CA CLI now provides a
migrate
command to move the CA directory from the Puppetconfdir
to the puppetserverconfdir
. It leaves behind a symlink on the old CA location, pointing to the new location at/etc/puppetlabs/puppetserver/ca
. The symlink provides backwards compatibility for tools still expecting thecadir
to exist in the old location. In a future release, thecadir
setting will be removed entirely. (SERVER-2896)The default value for the facts cache is now JSON instead of YAML. You can re-enable the old YAML terminus in
routes.yaml
. (PUP-10656)Support for legacy Puppet
auth.conf
has been removed and thejruby-puppet.use-legacy-auth-conf
setting no longer works. Use Puppet Server'sauth.conf
file instead. (SERVER-2778)Puppet Server no longer services requests for legacy (3.x) Puppet endpoints. Puppet Agents before 4.0 are no longer be able to check in. (SERVER-2791)
This release removes default support for many cipher suites when contacting Puppet Server. The new default supported cipher suites are:
TLS_DHE_RSA_WITH_AES_128_GCM_SHA256
,TLS_DHE_RSA_WITH_AES_256_GCM_SHA384
,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
, andTLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
. This change aligns open source Puppet with Puppet Enterprise. Note that this change may break on old platforms. To re-enable older cipher suites you may edit thewebserver.conf
. Valid cipher suite names are listed in the JDK Documentation. (SERVER-2913)Puppet Server now provides an HTTP client whose API conforms to the HTTP client provided by Puppet. This new client is stored in the Puppet runtime as
Puppet.runtime[:http]
. (SERVER-2780)