Remove AddTrust as it isn't used any more.
Switch from the DST root CA to ISRG on jessie and newer
for Let's Encrypt since it has less intermediate CAs.
The ISRG root isn't available in wheezy ca-certificates.
Document why each CA cert is being used with comments.
--- /dev/null
+# This file is under puppet control
+# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
+
+# Let's Encrypt: used by almost all Debian machines
+# Use the DST root as the ISRG one is not in wheezy yet
+#mozilla/ISRG_Root_X1.crt
+mozilla/DST_Root_CA_X3.crt
+
+# Gandi: used by *.alioth.d.o only
+mozilla/UTN_USERFirst_Hardware_Root_CA.crt
# This file is under puppet control
# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
-mozilla/AddTrust_External_Root.crt
+
+# Let's Encrypt: used by almost all Debian machines
+mozilla/ISRG_Root_X1.crt
+
+# Gandi: used by *.alioth.d.o only
mozilla/UTN_USERFirst_Hardware_Root_CA.crt
-mozilla/DST_Root_CA_X3.crt
source => 'puppet:///modules/ssl/ca-certificates.conf',
notify => Exec['refresh_normal_hashes'],
}
+ if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
+ $ca_debian_conf_suffix = ''
+ } else {
+ $ca_debian_conf_suffix = 'wheezy'
+ }
file { '/etc/ca-certificates-debian.conf':
mode => '0444',
- source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
+ source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf",
notify => Exec['refresh_ca_debian_hashes'],
}
file { '/etc/ca-certificates-global.conf':
projects / mirror / dsa-puppet.git / commitdiff