1) we don't ship EE certs in puppet anymore so the former was empty
2) most software nowadays requires actual CA certs in its trust store
rather than EE certs
/------------------------------------------------------------------------------
| /etc/ssl/certs
/------------------------------------------------------------------------------
| /etc/ssl/certs
-
-The purpose of this directory is to allow verification of service certificates
-for debian.org services by software that is able to properly verify service
-certificates that are available in the default certificate store.
-
-Please *use it* in preference to other certificate stores when possible.
-
-/------------------------------------------------------------------------------
-This directory contains the certificate(s) for the certificate authorities
+These directories contain the certificate(s) for the certificate authorities
that have signed current service certificates for debian.org services.
that have signed current service certificates for debian.org services.
-The purpose of this directory is to allow verification of service certificates
-for debian.org services by software that is unable to properly verify service
-certificates that are available in the default certificate store.
-
-Please *do not* use it for verification of debian.org service certificates
-unless the software you are using is buggy and there is no other alternative.
-Please *file bugs* on any software that you find that needs to use this
-directory and usertag those bugs using this bts command:
-
-bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team
-
/------------------------------------------------------------------------------
| /etc/ssl/ca-global
/------------------------------------------------------------------------------
| /etc/ssl/ca-global
signing authority at any time.
Please *do not* use it for verification of debian.org service certificates.
signing authority at any time.
Please *do not* use it for verification of debian.org service certificates.
-
-Please *do not* use it for verification of certificates when pinning to a
-specific service certificate or certificate authority is a viable option.
-This directory *only* contains the certificate(s) for the current service
-certificates for debian.org services.
+++ /dev/null
-# This file is under puppet control
-# Only the CAs for debian.org are trusted, see /etc/ssl/README
-mozilla/DST_Root_CA_X3.crt
# This file is under puppet control
# This file is under puppet control
-# Only debian.org service certs are trusted, see /etc/ssl/README
+# Only the CAs for debian.org are trusted, see /etc/ssl/README
+mozilla/DST_Root_CA_X3.crt
- $caconf = '/etc/ca-certificates.conf'
-
package { 'openssl':
ensure => installed,
}
package { 'openssl':
ensure => installed,
}
}
file { '/etc/ca-certificates-debian.conf':
mode => '0444',
}
file { '/etc/ca-certificates-debian.conf':
mode => '0444',
- source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
+ source => 'puppet:///modules/ssl/ca-certificates.conf',
notify => Exec['refresh_ca_debian_hashes'],
}
file { '/etc/ca-certificates-global.conf':
notify => Exec['refresh_ca_debian_hashes'],
}
file { '/etc/ca-certificates-global.conf':