3 $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt'
4 $caconf = '/etc/ca-certificates.conf'
12 package { 'ca-certificates':
16 file { '/etc/ssl/servicecerts':
20 target => '/usr/local/share/ca-certificates/debian.org',
21 notify => Exec['retire_debian_links'],
24 file { '/usr/local/share/ca-certificates/debian.org':
26 source => 'puppet:///modules/ssl/servicecerts/',
27 mode => '0644', # this works; otherwise all files are +x
31 notify => Exec['refresh_normal_hashes'],
33 file { '/etc/ssl/debian':
35 source => 'puppet:///files/empty/',
36 mode => '0644', # this works; otherwise all files are +x
41 file { '/etc/ssl/debian/certs':
45 file { '/etc/ssl/debian/crls':
49 file { '/etc/ssl/debian/keys':
53 require => Package['ssl-cert'],
55 file { '/etc/ssl/debian/certs/thishost.crt':
56 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
57 notify => Exec['refresh_debian_hashes'],
59 file { '/etc/ssl/debian/keys/thishost.key':
60 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
63 require => Package['ssl-cert'],
65 file { '/etc/ssl/debian/certs/ca.crt':
66 source => 'puppet:///modules/ssl/clientcerts/ca.crt',
67 notify => Exec['refresh_debian_hashes'],
69 file { '/etc/ssl/debian/crls/ca.crl':
70 source => 'puppet:///modules/ssl/clientcerts/ca.crl',
72 file { '/etc/ssl/debian/certs/thishost-server.crt':
73 source => "puppet:///modules/exim/certs/${::fqdn}.crt",
74 notify => Exec['refresh_debian_hashes'],
76 file { '/etc/ssl/debian/keys/thishost-server.key':
77 source => "puppet:///modules/exim/certs/${::fqdn}.key",
80 require => Package['ssl-cert'],
83 exec { 'retire_debian_links':
84 command => 'find -lname "../servicecerts/*" -exec rm {} +',
85 cwd => '/etc/ssl/certs',
87 notify => Exec['refresh_normal_hashes'],
89 exec { 'refresh_debian_hashes':
90 command => 'c_rehash /etc/ssl/debian/certs',
92 require => Package['openssl'],
94 exec { 'refresh_normal_hashes':
95 # NOTE 1: always use update-ca-certificates to manage hashes in
96 # /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
97 # get a hash overriding the hash that would have been generated
98 # for another certificate ... which is problem, comrade
99 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
100 command => '/usr/sbin/update-ca-certificates -f',
102 require => Package['ca-certificates'],