3 $cacert = 'mozilla/UTN_USERFirst_Hardware_Root_CA.crt'
4 $caconf = '/etc/ca-certificates.conf'
12 package { 'ca-certificates':
16 file { '/etc/ssl/servicecerts':
18 source => 'puppet:///modules/ssl/servicecerts/',
19 mode => '0644', # this works; otherwise all files are +x
23 notify => Exec['refresh_debian_links'],
25 file { '/etc/ssl/debian':
27 source => 'puppet:///files/empty/',
28 mode => '0644', # this works; otherwise all files are +x
33 file { '/etc/ssl/debian/certs':
37 file { '/etc/ssl/debian/crls':
41 file { '/etc/ssl/debian/keys':
45 require => Package['ssl-cert'],
47 file { '/etc/ssl/debian/certs/thishost.crt':
48 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt",
49 notify => Exec['refresh_debian_hashes'],
51 file { '/etc/ssl/debian/keys/thishost.key':
52 source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key",
55 require => Package['ssl-cert'],
57 file { '/etc/ssl/debian/certs/ca.crt':
58 source => 'puppet:///modules/ssl/clientcerts/ca.crt',
59 notify => Exec['refresh_debian_hashes'],
61 file { '/etc/ssl/debian/crls/ca.crl':
62 source => 'puppet:///modules/ssl/clientcerts/ca.crl',
64 file { '/etc/ssl/debian/certs/thishost-server.crt':
65 source => "puppet:///modules/exim/certs/${::fqdn}.crt",
66 notify => Exec['refresh_debian_hashes'],
68 file { '/etc/ssl/debian/keys/thishost-server.key':
69 source => "puppet:///modules/exim/certs/${::fqdn}.key",
72 require => Package['ssl-cert'],
75 exec { 'refresh_debian_links':
76 command => 'cp -f -s ../servicecerts/* .',
77 cwd => '/etc/ssl/certs',
79 notify => Exec['delete_unused_links'],
81 exec { 'delete_unused_links':
82 command => 'find -L . -mindepth 1 -maxdepth 1 -type l -delete',
83 cwd => '/etc/ssl/certs',
85 notify => Exec['refresh_normal_hashes'], # see NOTE 1
87 exec { 'modify_configuration':
88 command => "sed -i -e 's#!${cacert}#${cacert}#' ${caconf}",
89 onlyif => "grep -Fqx '!${cacert}' ${caconf}",
90 notify => Exec['refresh_normal_hashes'],
91 require => Package['ca-certificates'],
93 exec { 'refresh_debian_hashes':
94 command => 'c_rehash /etc/ssl/debian/certs',
96 require => Package['openssl'],
98 exec { 'refresh_normal_hashes':
99 # NOTE 1: always use update-ca-certificates to manage hashes in
100 # /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
101 # get a hash overriding the hash that would have been generated
102 # for another certificate ... which is problem, comrade
103 # NOTE 2: always ask update-ca-certificates to freshen (-f) the links
104 command => '/usr/sbin/update-ca-certificates -f',
106 require => Package['ca-certificates'],