From: Julien Cristau Date: Fri, 13 Apr 2018 17:56:27 +0000 (+0200) Subject: Give up on the distinction between /etc/ssl/certs and /etc/ssl/ca-debian X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=cf56b01eaf7330e44d6fce7d6da2e02afd28e2c9;p=mirror%2Fdsa-puppet.git Give up on the distinction between /etc/ssl/certs and /etc/ssl/ca-debian 1) we don't ship EE certs in puppet anymore so the former was empty 2) most software nowadays requires actual CA certs in its trust store rather than EE certs --- diff --git a/modules/ssl/files/README b/modules/ssl/files/README index b87d282fd..e5d51d46a 100644 --- a/modules/ssl/files/README +++ b/modules/ssl/files/README @@ -1,29 +1,10 @@ /------------------------------------------------------------------------------ | /etc/ssl/certs - -The purpose of this directory is to allow verification of service certificates -for debian.org services by software that is able to properly verify service -certificates that are available in the default certificate store. - -Please *use it* in preference to other certificate stores when possible. - -/------------------------------------------------------------------------------ | /etc/ssl/ca-debian -This directory contains the certificate(s) for the certificate authorities +These directories contain the certificate(s) for the certificate authorities that have signed current service certificates for debian.org services. -The purpose of this directory is to allow verification of service certificates -for debian.org services by software that is unable to properly verify service -certificates that are available in the default certificate store. - -Please *do not* use it for verification of debian.org service certificates -unless the software you are using is buggy and there is no other alternative. -Please *file bugs* on any software that you find that needs to use this -directory and usertag those bugs using this bts command: - -bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team - /------------------------------------------------------------------------------ | /etc/ssl/ca-global @@ -37,8 +18,3 @@ change their certificate at any time and could change their certificate signing authority at any time. Please *do not* use it for verification of debian.org service certificates. - -Please *do not* use it for verification of certificates when pinning to a -specific service certificate or certificate authority is a viable option. -This directory *only* contains the certificate(s) for the current service -certificates for debian.org services. diff --git a/modules/ssl/files/ca-certificates-debian.conf b/modules/ssl/files/ca-certificates-debian.conf deleted file mode 100644 index fc3661b44..000000000 --- a/modules/ssl/files/ca-certificates-debian.conf +++ /dev/null @@ -1,3 +0,0 @@ -# This file is under puppet control -# Only the CAs for debian.org are trusted, see /etc/ssl/README -mozilla/DST_Root_CA_X3.crt diff --git a/modules/ssl/files/ca-certificates.conf b/modules/ssl/files/ca-certificates.conf index cf05c1675..fc3661b44 100644 --- a/modules/ssl/files/ca-certificates.conf +++ b/modules/ssl/files/ca-certificates.conf @@ -1,2 +1,3 @@ # This file is under puppet control -# Only debian.org service certs are trusted, see /etc/ssl/README +# Only the CAs for debian.org are trusted, see /etc/ssl/README +mozilla/DST_Root_CA_X3.crt diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 744cb468a..73e805a63 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -1,6 +1,4 @@ class ssl { - $caconf = '/etc/ca-certificates.conf' - package { 'openssl': ensure => installed, } @@ -29,7 +27,7 @@ class ssl { } file { '/etc/ca-certificates-debian.conf': mode => '0444', - source => 'puppet:///modules/ssl/ca-certificates-debian.conf', + source => 'puppet:///modules/ssl/ca-certificates.conf', notify => Exec['refresh_ca_debian_hashes'], } file { '/etc/ca-certificates-global.conf':