From: Paul Wise <pabs@debian.org>
Date: Sun, 3 Sep 2017 12:37:57 +0000 (+0800)
Subject: Also apply the ca-global blacklist on godard
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=2c913053fee480323b0801cefff685af2dbe1bf7;p=mirror%2Fdsa-puppet.git

Also apply the ca-global blacklist on godard
---

diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 756661e06..4a629fbd4 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -11,12 +11,20 @@ class ssl {
 		ensure   => installed,
 	}
 
+	if $::hostname == 'godard' {
+		$extra_ssl_certs_flags = ' --default'
+		$ssl_certs_config = 'puppet:///modules/ssl/ca-certificates-global.conf'
+	} else {
+		$extra_ssl_certs_flags = ''
+		$ssl_certs_config = 'puppet:///modules/ssl/ca-certificates.conf'
+	}
+
 	file { '/etc/ssl/README':
 		mode   => '0444',
 		source => 'puppet:///modules/ssl/README',
 	}
 	file { '/etc/ca-certificates.conf':
-		source => 'puppet:///modules/ssl/ca-certificates.conf',
+		source => $ssl_certs_config,
 		notify  => Exec['refresh_normal_hashes'],
 	}
 	file { '/etc/ca-certificates-debian.conf':
@@ -156,11 +164,6 @@ class ssl {
 		refreshonly => true,
 		require     => Package['openssl'],
 	}
-	if $::hostname == 'godard' {
-		$extra_ssl_certs_flags = ' --default'
-	} else {
-		$extra_ssl_certs_flags = ''
-	}
 
 	exec { 'refresh_normal_hashes':
 		# NOTE 1: always use update-ca-certificates to manage hashes in