Use update-ca-certificates to update ca-global on stretch and later

diff --git a/modules/ssl/files/local-ssl-ca-global b/modules/ssl/files/local-ssl-ca-global
deleted file mode 100644 (file)
index 17aa6a8..0000000
--- a/modules/ssl/files/local-ssl-ca-global
+++ /dev/null
@@ -1,6 +0,0 @@
-DPkg::Pre-Install-Pkgs {
-  "if grep -q '/ca-certificates_.*\.deb$' ; then touch /run/dsa-ca-certificates-global ; fi";
-};
-DPkg::Post-Invoke {
-  "if [ -e /run/dsa-ca-certificates-global ] && [ -e /usr/local/sbin/update-ca-certificates-dsa ] ; then /usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null ; rm -f /run/dsa-ca-certificates-global ; fi";
-};

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 73e805a..21e51e6 100644 (file)
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -37,7 +37,7 @@ class ssl {
 
        file { '/etc/apt/apt.conf.d/local-ssl-ca-global':
                mode   => '0444',
-               source => 'puppet:///modules/ssl/local-ssl-ca-global',
+               content => template('ssl/local-ssl-ca-global.erb'),
        }
 
        file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':

diff --git a/modules/ssl/templates/local-ssl-ca-global.erb b/modules/ssl/templates/local-ssl-ca-global.erb
new file mode 100644 (file)
index 0000000..8d6a8f3
--- /dev/null
+++ b/modules/ssl/templates/local-ssl-ca-global.erb
@@ -0,0 +1,6 @@
+DPkg::Pre-Install-Pkgs {
+  "if grep -q '/ca-certificates_.*\.deb$' ; then touch /run/dsa-ca-certificates-global ; fi";
+};
+DPkg::Post-Invoke {
+  "if [ -e /run/dsa-ca-certificates-global ] && [ -e \"<?= @updatecacerts %>" ] ; then \"<?= @updatecacerts %>\" --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null ; rm -f /run/dsa-ca-certificates-global ; fi";
+};