2 $caconf = '/etc/ca-certificates.conf'
10 package { 'ca-certificates':
14 file { '/etc/ssl/servicecerts':
18 target => '/usr/local/share/ca-certificates/debian.org',
19 notify => Exec['retire_debian_links'],
22 file { '/usr/local/share/ca-certificates/debian.org':
24 source => 'puppet:///modules/ssl/servicecerts/',
25 mode => '0644', # this works; otherwise all files are +x
29 notify => Exec['refresh_normal_hashes'],
31 file { '/etc/ssl/debian':
33 source => 'puppet:///files/empty/',
34 mode => '0644', # this works; otherwise all files are +x
39 file { '/etc/ssl/debian/certs':
43 file { '/etc/ssl/debian/crls':
47 file { '/etc/ssl/debian/keys':
51 require => Package['ssl-cert'],
53 file { '/etc/ssl/debian/certs/thishost.crt':
54 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
55 notify => Exec['refresh_debian_hashes'],
57 file { '/etc/ssl/debian/keys/thishost.key':
58 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
61 require => Package['ssl-cert'],
63 file { '/etc/ssl/debian/certs/ca.crt':
64 source => 'puppet:///modules/ssl/clientcerts/ca.crt',
65 notify => Exec['refresh_debian_hashes'],
67 file { '/etc/ssl/debian/crls/ca.crl':
68 source => 'puppet:///modules/ssl/clientcerts/ca.crl',
70 file { '/etc/ssl/debian/certs/thishost-server.crt':
71 source => "puppet:///modules/exim/certs/${::fqdn}.crt",
72 notify => Exec['refresh_debian_hashes'],
74 file { '/etc/ssl/debian/keys/thishost-server.key':
75 source => "puppet:///modules/exim/certs/${::fqdn}.key",
78 require => Package['ssl-cert'],
81 exec { 'retire_debian_links':
82 command => 'find -lname "../servicecerts/*" -exec rm {} +',
83 cwd => '/etc/ssl/certs',
85 notify => Exec['refresh_normal_hashes'],
87 exec { 'refresh_debian_hashes':
88 command => 'c_rehash /etc/ssl/debian/certs',
90 require => Package['openssl'],
92 exec { 'refresh_normal_hashes':
93 # NOTE 1: always use update-ca-certificates to manage hashes in
94 # /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
95 # get a hash overriding the hash that would have been generated
96 # for another certificate ... which is problem, comrade
97 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
98 command => '/usr/sbin/update-ca-certificates -f',
100 require => Package['ca-certificates'],