Fix CA/CRL refresh retriggering every run on 304

houssemexo26 · houssemexo26 · commit b0fb888065b6 · 2026-06-25T17:14:41.000+02:00
When the server responds with 304 Not Modified, ca_last_update and
crl_last_update were not updated. Since these read the mtime of the
CA cert / CRL file on disk, the stale timestamp caused needs_refresh?
to return true on every subsequent run, ignoring ca_refresh_interval
and crl_refresh_interval.

Fix by updating the timestamp on 304 so the interval is respected.

Signed-off-by: Houssem eXo &lt;hbenali@exoplatform.fr&gt;
diff --git a/lib/puppet/ssl/state_machine.rb b/lib/puppet/ssl/state_machine.rb
@@ -121,6 +121,7 @@ def refresh_ca(ssl_ctx, last_update)
     rescue Puppet::HTTP::ResponseError => e
       if e.response.code == 304
         Puppet.info(_("CA certificate is unmodified, using existing CA certificate"))
+        @cert_provider.ca_last_update = Time.now
       else
         Puppet.info(_("Failed to refresh CA certificate, using existing CA certificate: %{message}") % { message: e.message })
       end
@@ -219,6 +220,7 @@ def refresh_crl(ssl_ctx, last_update)
     rescue Puppet::HTTP::ResponseError => e
       if e.response.code == 304
         Puppet.info(_("CRL is unmodified, using existing CRL"))
+        @cert_provider.crl_last_update = Time.now
       else
         Puppet.info(_("Failed to refresh CRL, using existing CRL: %{message}") % { message: e.message })
       end
