From: Julien Cristau Date: Fri, 6 Jan 2017 13:34:43 +0000 (+0100) Subject: Switch db.d.o to letsencrypt X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=1f1aa0ea7fee69c0fa68cd1150e5ccbbe25f1ead;p=mirror%2Fdsa-puppet.git Switch db.d.o to letsencrypt --- diff --git a/modules/debian-org/templates/ldap.conf.erb b/modules/debian-org/templates/ldap.conf.erb index cabf456e0..b3f514b70 100644 --- a/modules/debian-org/templates/ldap.conf.erb +++ b/modules/debian-org/templates/ldap.conf.erb @@ -20,9 +20,5 @@ URI ldap://db.debian.org BASE dc=debian,dc=org -<% if @lsbmajdistrelease.to_i >= 8 -%> TLS_CACERT /etc/ssl/ca-debian/ca-certificates.crt -<% else -%> -TLS_CACERT /etc/ssl/servicecerts/db.debian.org.crt -<% end -%> TLS_REQCERT hard diff --git a/modules/roles/manifests/dbmaster.pp b/modules/roles/manifests/dbmaster.pp index c45a1389a..334857fec 100644 --- a/modules/roles/manifests/dbmaster.pp +++ b/modules/roles/manifests/dbmaster.pp @@ -14,7 +14,16 @@ class roles::dbmaster { ssl::service { 'db.debian.org': notify => Exec['service apache2 reload'], - tlsaport => [], + key => true, + tlsaport => [443, 389, 636], + } + + file { "/etc/ldap/db.debian.org.key": + ensure => present, + mode => '0440', + group => 'openldap', + source => 'puppet:///modules/ssl/from-letsencrypt/db.debian.org.key', + links => follow, } roles::pubsub::config { 'generate': diff --git a/modules/ssl/files/chains/db.debian.org.crt b/modules/ssl/files/chains/db.debian.org.crt deleted file mode 120000 index 50d224a83..000000000 --- a/modules/ssl/files/chains/db.debian.org.crt +++ /dev/null @@ -1 +0,0 @@ -GANDI-2-CA \ No newline at end of file diff --git a/modules/ssl/files/servicecerts/db.debian.org.crt b/modules/ssl/files/servicecerts/db.debian.org.crt deleted file mode 100644 index 86fe1856f..000000000 --- a/modules/ssl/files/servicecerts/db.debian.org.crt +++ /dev/null @@ -1,118 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 3d:23:f3:07:48:4a:e7:00:04:b2:04:c2:4b:11:02:c4 - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 - Validity - Not Before: Dec 11 00:00:00 2015 GMT - Not After : Jan 20 23:59:59 2017 GMT - Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=db.debian.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (3072 bit) - Modulus: - 00:df:fb:0e:56:59:29:1e:52:10:bc:c5:ee:b7:67: - e8:b5:b1:b9:e6:e9:57:21:6e:d5:e5:e5:b7:3c:62: - f8:c8:a0:f5:c4:74:65:90:f7:86:9d:09:71:4a:de: - b0:00:4e:cc:4e:ba:02:e8:46:b5:c1:6e:b3:f2:7f: - f3:c0:86:33:6a:f7:f6:ed:e7:e5:a7:39:3b:fe:18: - a6:9e:7b:f7:de:d8:25:15:7b:db:97:4b:e2:85:fb: - e5:5a:5c:e2:9f:23:10:8f:cb:c8:81:6d:79:93:76: - db:38:af:f7:35:bb:a8:22:8a:6a:19:ea:d6:db:aa: - 0e:45:7e:f3:80:44:01:1a:55:74:86:9a:5a:69:ff: - 2a:ab:04:83:17:8d:2a:89:b2:38:bb:e7:f7:a2:15: - 09:30:05:ef:ca:ee:74:f9:89:1d:f4:82:97:ef:8d: - 16:68:34:ca:ee:c3:3f:2b:97:7f:c6:09:7c:0e:a3: - f3:f9:05:b9:e6:a7:2b:60:75:cb:fc:30:f0:c4:9b: - 2f:78:80:76:02:f0:56:d4:49:93:04:58:c8:a9:fc: - a7:9f:b2:6f:0c:d7:f4:bd:fa:19:68:18:b3:d3:97: - 52:7f:31:e3:de:13:e4:68:db:19:05:71:50:db:7b: - a8:99:d1:b6:25:30:61:5a:22:38:04:6b:bf:51:08: - d0:2a:b8:00:d5:d5:68:b0:dc:91:ce:72:d1:ad:8f: - 63:77:38:35:65:65:28:66:1b:77:17:50:0b:59:fa: - 9c:7f:77:99:60:c8:af:ab:ee:ec:95:f7:0a:a0:c3: - af:c1:41:94:d5:55:b6:20:62:bf:4a:bf:7a:25:5b: - f5:dc:c1:cc:e9:ed:b7:78:40:e8:63:89:14:0b:b0: - 0c:37:fb:83:b9:ea:1a:af:2a:a9:ca:fb:10:8c:95: - 07:cc:ad:43:95:cc:82:d2:c2:a6:62:64:2f:32:1d: - 45:87:dd:b1:03:1a:ed:c0:1b:97:44:c7:03:0c:17: - 8a:07:28:b4:50:34:69:82:0f:05 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Authority Key Identifier: - keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA - - X509v3 Subject Key Identifier: - 32:46:59:7C:E7:0A:EF:FE:AB:21:4B:0A:65:08:E1:C9:97:CB:50:C2 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.6449.1.2.2.26 - CPS: https://cps.usertrust.com - Policy: 2.23.140.1.2.1 - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl - - Authority Information Access: - CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt - OCSP - URI:http://ocsp.usertrust.com - - X509v3 Subject Alternative Name: - DNS:db.debian.org, DNS:www.db.debian.org - Signature Algorithm: sha256WithRSAEncryption - 83:56:ba:ff:87:59:52:0a:ec:fe:23:0e:90:c5:64:49:64:28: - a1:af:90:05:e2:a2:3d:ee:c9:a3:07:6f:b6:e4:ed:a3:e0:f0: - bd:cb:0b:db:8e:92:98:cf:d1:3a:bb:a0:dd:72:a8:24:aa:98: - 88:f5:cb:9c:04:05:32:dc:6c:9b:cc:71:1a:7f:a6:48:c5:de: - 57:a7:7e:aa:9f:51:87:2a:f9:74:17:4f:53:64:5c:7e:15:ef: - a8:d1:5b:45:4a:b7:69:6b:9b:1b:bf:53:51:6c:a8:a8:e7:d9: - 94:1e:81:d0:7b:11:17:f3:4d:8c:ed:f8:d0:fb:0f:f1:bb:7e: - 96:2e:94:a9:2d:9c:77:24:15:4f:9b:46:58:ff:bb:af:9b:44: - d6:02:e4:8c:f7:3d:2e:c3:d9:cb:a9:24:35:9a:f1:70:d6:46: - 8c:1e:eb:e4:f8:d9:71:8d:69:40:1d:26:66:85:87:05:3f:e7: - 13:4b:d9:c9:66:52:fc:3b:f5:b8:72:64:f6:57:74:d1:b3:f1: - 15:3a:45:e4:d9:28:f2:f5:98:f6:8a:90:60:eb:c7:08:dc:39: - 8f:04:55:13:49:98:00:32:3a:57:ae:23:f9:9f:1b:cb:99:68: - 43:b2:18:f5:7a:91:b5:02:53:a8:ce:ec:2a:42:dc:de:fd:ef: - 06:16:40:2d ------BEGIN CERTIFICATE----- -MIIFdjCCBF6gAwIBAgIQPSPzB0hK5wAEsgTCSxECxDANBgkqhkiG9w0BAQsFADBf -MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w -DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw -HhcNMTUxMjExMDAwMDAwWhcNMTcwMTIwMjM1OTU5WjBYMSEwHwYDVQQLExhEb21h -aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT -TDEWMBQGA1UEAxMNZGIuZGViaWFuLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGP -ADCCAYoCggGBAN/7DlZZKR5SELzF7rdn6LWxuebpVyFu1eXltzxi+Mig9cR0ZZD3 -hp0JcUresABOzE66AuhGtcFus/J/88CGM2r39u3n5ac5O/4Ypp57997YJRV725dL -4oX75Vpc4p8jEI/LyIFteZN22ziv9zW7qCKKahnq1tuqDkV+84BEARpVdIaaWmn/ -KqsEgxeNKomyOLvn96IVCTAF78rudPmJHfSCl++NFmg0yu7DPyuXf8YJfA6j8/kF -ueanK2B1y/ww8MSbL3iAdgLwVtRJkwRYyKn8p5+ybwzX9L36GWgYs9OXUn8x494T -5GjbGQVxUNt7qJnRtiUwYVoiOARrv1EI0Cq4ANXVaLDckc5y0a2PY3c4NWVlKGYb -dxdQC1n6nH93mWDIr6vu7JX3CqDDr8FBlNVVtiBiv0q/eiVb9dzBzOntt3hA6GOJ -FAuwDDf7g7nqGq8qqcr7EIyVB8ytQ5XMgtLCpmJkLzIdRYfdsQMa7cAbl0THAwwX -igcotFA0aYIPBQIDAQABo4IBszCCAa8wHwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98 -rV1/Qf1pMOowHQYDVR0OBBYEFDJGWXznCu/+qyFLCmUI4cmXy1DCMA4GA1UdDwEB -/wQEAwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEF -BQcDAjBLBgNVHSAERDBCMDYGCysGAQQBsjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0 -dHBzOi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0 -oDKGMGh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0Ey -LmNybDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNl -cnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZ -aHR0cDovL29jc3AudXNlcnRydXN0LmNvbTArBgNVHREEJDAigg1kYi5kZWJpYW4u -b3JnghF3d3cuZGIuZGViaWFuLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAg1a6/4dZ -Ugrs/iMOkMVkSWQooa+QBeKiPe7JowdvtuTto+DwvcsL246SmM/ROrug3XKoJKqY -iPXLnAQFMtxsm8xxGn+mSMXeV6d+qp9Rhyr5dBdPU2RcfhXvqNFbRUq3aWubG79T -UWyoqOfZlB6B0HsRF/NNjO340PsP8bt+li6UqS2cdyQVT5tGWP+7r5tE1gLkjPc9 -LsPZy6kkNZrxcNZGjB7r5PjZcY1pQB0mZoWHBT/nE0vZyWZS/Dv1uHJk9ld00bPx -FTpF5Nko8vWY9oqQYOvHCNw5jwRVE0mYADI6V64j+Z8by5loQ7IY9XqRtQJTqM7s -KkLc3v3vBhZALQ== ------END CERTIFICATE-----