Give up on the distinction between /etc/ssl/certs and /etc/ssl/ca-debian

1) we don't ship EE certs in puppet anymore so the former was empty
2) most software nowadays requires actual CA certs in its trust store
   rather than EE certs

diff --git a/modules/ssl/files/README b/modules/ssl/files/README
index b87d282..e5d51d4 100644 (file)
--- a/modules/ssl/files/README
+++ b/modules/ssl/files/README
@@ -1,29 +1,10 @@
 /------------------------------------------------------------------------------
 | /etc/ssl/certs
-
-The purpose of this directory is to allow verification of service certificates
-for debian.org services by software that is able to properly verify service
-certificates that are available in the default certificate store.
-
-Please *use it* in preference to other certificate stores when possible.
-
-/------------------------------------------------------------------------------
 | /etc/ssl/ca-debian
 
-This directory contains the certificate(s) for the certificate authorities
+These directories contain the certificate(s) for the certificate authorities
 that have signed current service certificates for debian.org services.
 
-The purpose of this directory is to allow verification of service certificates
-for debian.org services by software that is unable to properly verify service
-certificates that are available in the default certificate store.
-
-Please *do not* use it for verification of debian.org service certificates
-unless the software you are using is buggy and there is no other alternative.
-Please *file bugs* on any software that you find that needs to use this
-directory and usertag those bugs using this bts command:
-
-bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team
-
 /------------------------------------------------------------------------------
 | /etc/ssl/ca-global
 
@@ -37,8 +18,3 @@ change their certificate at any time and could change their certificate
 signing authority at any time.
 
 Please *do not* use it for verification of debian.org service certificates.
-
-Please *do not* use it for verification of certificates when pinning to a
-specific service certificate or certificate authority is a viable option.
-This directory *only* contains the certificate(s) for the current service
-certificates for debian.org services.

diff --git a/modules/ssl/files/ca-certificates-debian.conf b/modules/ssl/files/ca-certificates-debian.conf
deleted file mode 100644 (file)
index fc3661b..0000000
--- a/modules/ssl/files/ca-certificates-debian.conf
+++ /dev/null
@@ -1,3 +0,0 @@
-# This file is under puppet control
-# Only the CAs for debian.org are trusted, see /etc/ssl/README
-mozilla/DST_Root_CA_X3.crt

diff --git a/modules/ssl/files/ca-certificates.conf b/modules/ssl/files/ca-certificates.conf
index cf05c16..fc3661b 100644 (file)
--- a/modules/ssl/files/ca-certificates.conf
+++ b/modules/ssl/files/ca-certificates.conf
@@ -1,2 +1,3 @@
 # This file is under puppet control
-# Only debian.org service certs are trusted, see /etc/ssl/README
+# Only the CAs for debian.org are trusted, see /etc/ssl/README
+mozilla/DST_Root_CA_X3.crt

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 744cb46..73e805a 100644 (file)
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -1,6 +1,4 @@
 class ssl {
-       $caconf = '/etc/ca-certificates.conf'
-
        package { 'openssl':
                ensure   => installed,
        }
@@ -29,7 +27,7 @@ class ssl {
        }
        file { '/etc/ca-certificates-debian.conf':
                mode    => '0444',
-               source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
+               source => 'puppet:///modules/ssl/ca-certificates.conf',
                notify  => Exec['refresh_ca_debian_hashes'],
        }
        file { '/etc/ca-certificates-global.conf':