From: Julien Cristau <jcristau@debian.org>
Date: Fri, 6 Jan 2017 17:55:14 +0000 (+0100)
Subject: Switch to LE certs for sip / repro
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=49eccfe9da71e61aafe4a67aa31eac5feeb3130c;p=mirror%2Fdsa-puppet.git

Switch to LE certs for sip / repro
---

diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp
index 888b1137c..7382d1812 100644
--- a/modules/roles/manifests/rtc.pp
+++ b/modules/roles/manifests/rtc.pp
@@ -1,12 +1,13 @@
 class roles::rtc {
 
-	ssl::service { 'www.debian.org':
+	ssl::service { 'debian.org':
 		tlsaport => [],
 		notify  => Service['repro'],
+		key => true,
 	}
 
 	ssl::service { 'sip-ws.debian.org':
-		tlsaport => [],
+		key => true,
 	}
 
 	dnsextras::tlsa_record{ 'tlsa-xmpp':
diff --git a/modules/ssl/files/chains/sip-ws.debian.org.crt b/modules/ssl/files/chains/sip-ws.debian.org.crt
deleted file mode 120000
index 50d224a83..000000000
--- a/modules/ssl/files/chains/sip-ws.debian.org.crt
+++ /dev/null
@@ -1 +0,0 @@
-GANDI-2-CA
\ No newline at end of file
diff --git a/modules/ssl/files/servicecerts/sip-ws.debian.org.crt b/modules/ssl/files/servicecerts/sip-ws.debian.org.crt
deleted file mode 100644
index c49e73d9d..000000000
--- a/modules/ssl/files/servicecerts/sip-ws.debian.org.crt
+++ /dev/null
@@ -1,118 +0,0 @@
-Certificate:
-    Data:
-        Version: 3 (0x2)
-        Serial Number:
-            27:fd:61:53:34:d0:3e:c7:d0:99:c2:42:d7:b9:f9:db
-    Signature Algorithm: sha256WithRSAEncryption
-        Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2
-        Validity
-            Not Before: Dec 11 00:00:00 2015 GMT
-            Not After : Feb 15 23:59:59 2017 GMT
-        Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=sip-ws.debian.org
-        Subject Public Key Info:
-            Public Key Algorithm: rsaEncryption
-                Public-Key: (3072 bit)
-                Modulus:
-                    00:ba:a6:d2:26:06:bc:41:7e:32:0d:ba:e4:0a:66:
-                    6e:3a:60:9f:d5:f8:53:3b:fe:44:9e:14:32:4b:b9:
-                    5b:a9:6c:68:c3:a8:ff:10:a8:39:be:a0:74:dd:45:
-                    18:d2:e6:26:04:52:c3:bc:47:d4:7e:85:ea:64:e6:
-                    dd:aa:eb:ef:8c:fa:02:6a:86:6f:2b:c3:67:98:a9:
-                    01:16:2d:f1:9a:b7:99:32:08:a5:2c:c0:4a:71:9b:
-                    7d:8a:3f:b0:52:62:32:8f:5f:51:fb:2d:3d:9a:b3:
-                    43:b5:ed:ee:13:ab:5a:7b:b1:aa:d9:63:ca:a7:25:
-                    79:b8:d1:1b:e6:9f:7f:9d:ac:27:2b:d4:f2:b9:7e:
-                    56:ac:c0:e0:dd:a0:2f:a6:06:67:51:d6:b7:65:11:
-                    7c:0f:09:c2:16:cb:7f:78:c2:f4:7d:d8:8f:c0:c5:
-                    98:74:7b:d8:af:f6:b7:19:ec:19:fb:47:5a:d3:86:
-                    5b:20:4d:e2:da:1c:77:6d:61:2d:65:8e:64:ae:0d:
-                    00:ba:8c:c3:49:57:5f:95:6f:5c:21:c6:ed:67:40:
-                    67:39:c8:43:0c:bc:61:f6:c1:f9:27:bf:5d:d9:47:
-                    9a:05:a0:ff:ad:d3:e5:0a:48:09:68:d5:d1:92:b9:
-                    26:50:b8:1b:a4:7b:a9:3b:f0:0f:b3:ff:f8:02:74:
-                    47:f0:3b:6f:80:d4:57:e4:93:7e:81:04:14:29:1e:
-                    84:63:d8:70:0d:3f:5c:53:d3:e7:b0:36:b2:21:2a:
-                    2a:2f:bc:ad:a1:c9:71:b6:c2:43:d3:dd:23:70:65:
-                    ce:c9:a4:55:58:95:f0:66:81:3d:5f:65:b3:35:67:
-                    b1:0c:82:86:84:4b:f9:0a:fa:75:7f:99:8b:8c:da:
-                    91:7a:db:85:53:1d:e4:12:81:74:be:6b:c0:d0:3c:
-                    fa:88:35:74:55:6a:d7:85:26:fa:6a:d8:c2:a6:ce:
-                    75:17:a2:0c:23:b8:a0:a1:c3:9d:ab:8b:51:67:4a:
-                    1e:a3:21:58:06:1f:de:37:bd:4f
-                Exponent: 65537 (0x10001)
-        X509v3 extensions:
-            X509v3 Authority Key Identifier: 
-                keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA
-
-            X509v3 Subject Key Identifier: 
-                E9:DC:7B:40:D6:C8:59:1D:4D:65:BE:00:B4:96:8F:DF:6B:F9:F4:FE
-            X509v3 Key Usage: critical
-                Digital Signature, Key Encipherment
-            X509v3 Basic Constraints: critical
-                CA:FALSE
-            X509v3 Extended Key Usage: 
-                TLS Web Server Authentication, TLS Web Client Authentication
-            X509v3 Certificate Policies: 
-                Policy: 1.3.6.1.4.1.6449.1.2.2.26
-                  CPS: https://cps.usertrust.com
-                Policy: 2.23.140.1.2.1
-
-            X509v3 CRL Distribution Points: 
-
-                Full Name:
-                  URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl
-
-            Authority Information Access: 
-                CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt
-                OCSP - URI:http://ocsp.usertrust.com
-
-            X509v3 Subject Alternative Name: 
-                DNS:sip-ws.debian.org, DNS:www.sip-ws.debian.org
-    Signature Algorithm: sha256WithRSAEncryption
-         5c:af:8c:b9:f5:dd:e2:d5:2b:a6:ed:31:e3:c1:7f:9d:b4:ca:
-         98:08:1d:bf:58:f6:8a:bb:5a:39:e1:31:2b:be:5b:66:a3:c5:
-         e5:33:17:1d:9e:d6:ac:e0:5b:65:da:8d:26:4b:cc:1f:51:f2:
-         4a:3c:ea:47:e1:f5:f1:63:9f:90:99:f9:21:59:a7:42:cd:90:
-         2b:36:4c:82:b7:cf:40:02:72:a8:41:cb:c7:d9:07:8f:66:9b:
-         9a:37:23:79:ea:57:6c:d0:17:3e:79:3e:16:8b:d5:6f:c7:ee:
-         c6:45:12:f8:25:50:db:a2:10:75:8a:2f:61:a1:2e:7f:33:84:
-         98:f7:83:b7:9d:f7:d9:86:12:c7:ce:30:08:74:9b:b9:69:1b:
-         46:3d:b9:81:6d:bc:9c:27:90:48:72:f7:29:f0:c2:d8:cf:0b:
-         62:95:dc:19:f7:0d:ac:8b:40:4b:76:07:66:a4:4b:74:da:d1:
-         db:62:65:33:02:16:17:4b:53:21:53:bb:4d:6c:6f:c1:c6:ad:
-         2a:da:4e:ee:bf:ad:33:36:e7:4e:b7:cf:aa:3d:1f:42:69:6c:
-         58:1e:36:eb:4c:7b:bd:6e:ef:23:9e:c2:7a:08:33:d4:3b:92:
-         4b:b5:a2:2a:09:87:b9:0e:46:5e:7c:44:8f:2e:a1:7e:ca:fa:
-         07:38:3c:3c
------BEGIN CERTIFICATE-----
-MIIFgjCCBGqgAwIBAgIQJ/1hUzTQPsfQmcJC17n52zANBgkqhkiG9w0BAQsFADBf
-MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w
-DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw
-HhcNMTUxMjExMDAwMDAwWhcNMTcwMjE1MjM1OTU5WjBcMSEwHwYDVQQLExhEb21h
-aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT
-TDEaMBgGA1UEAxMRc2lwLXdzLmRlYmlhbi5vcmcwggGiMA0GCSqGSIb3DQEBAQUA
-A4IBjwAwggGKAoIBgQC6ptImBrxBfjINuuQKZm46YJ/V+FM7/kSeFDJLuVupbGjD
-qP8QqDm+oHTdRRjS5iYEUsO8R9R+hepk5t2q6++M+gJqhm8rw2eYqQEWLfGat5ky
-CKUswEpxm32KP7BSYjKPX1H7LT2as0O17e4Tq1p7sarZY8qnJXm40Rvmn3+drCcr
-1PK5flaswODdoC+mBmdR1rdlEXwPCcIWy394wvR92I/AxZh0e9iv9rcZ7Bn7R1rT
-hlsgTeLaHHdtYS1ljmSuDQC6jMNJV1+Vb1whxu1nQGc5yEMMvGH2wfknv13ZR5oF
-oP+t0+UKSAlo1dGSuSZQuBuke6k78A+z//gCdEfwO2+A1Ffkk36BBBQpHoRj2HAN
-P1xT0+ewNrIhKiovvK2hyXG2wkPT3SNwZc7JpFVYlfBmgT1fZbM1Z7EMgoaES/kK
-+nV/mYuM2pF624VTHeQSgXS+a8DQPPqINXRVateFJvpq2MKmznUXogwjuKChw52r
-i1FnSh6jIVgGH943vU8CAwEAAaOCAbswggG3MB8GA1UdIwQYMBaAFLOQp9jJr07N
-YTyffK1df0H9aTDqMB0GA1UdDgQWBBTp3HtA1shZHU1lvgC0lo/fa/n0/jAOBgNV
-HQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAdBgNVHSUEFjAUBggrBgEFBQcDAQYI
-KwYBBQUHAwIwSwYDVR0gBEQwQjA2BgsrBgEEAbIxAQICGjAnMCUGCCsGAQUFBwIB
-FhlodHRwczovL2Nwcy51c2VydHJ1c3QuY29tMAgGBmeBDAECATBBBgNVHR8EOjA4
-MDagNKAyhjBodHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNT
-TENBMi5jcmwwcwYIKwYBBQUHAQEEZzBlMDwGCCsGAQUFBzAChjBodHRwOi8vY3J0
-LnVzZXJ0cnVzdC5jb20vR2FuZGlTdGFuZGFyZFNTTENBMi5jcnQwJQYIKwYBBQUH
-MAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wMwYDVR0RBCwwKoIRc2lwLXdz
-LmRlYmlhbi5vcmeCFXd3dy5zaXAtd3MuZGViaWFuLm9yZzANBgkqhkiG9w0BAQsF
-AAOCAQEAXK+MufXd4tUrpu0x48F/nbTKmAgdv1j2irtaOeExK75bZqPF5TMXHZ7W
-rOBbZdqNJkvMH1HySjzqR+H18WOfkJn5IVmnQs2QKzZMgrfPQAJyqEHLx9kHj2ab
-mjcjeepXbNAXPnk+FovVb8fuxkUS+CVQ26IQdYovYaEufzOEmPeDt5332YYSx84w
-CHSbuWkbRj25gW28nCeQSHL3KfDC2M8LYpXcGfcNrItAS3YHZqRLdNrR22JlMwIW
-F0tTIVO7TWxvwcatKtpO7r+tMzbnTrfPqj0fQmlsWB4260x7vW7vI57Ceggz1DuS
-S7WiKgmHuQ5GXnxEjy6hfsr6Bzg8PA==
------END CERTIFICATE-----