From: Paul Wise <pabs@debian.org>
Date: Sat, 25 Mar 2017 07:56:59 +0000 (+0800)
Subject: Revert "Update configuration for SSL ca-debian cert store"
X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=d86d9ae66df267a773e231227bf4f08da88c46ad;p=mirror%2Fdsa-puppet.git

Revert "Update configuration for SSL ca-debian cert store"

This reverts commit f35f47969e10aeeaf6a48ad2a0f4dbde1f2f9de3.
---

diff --git a/modules/ssl/files/ca-certificates-debian-wheezy.conf b/modules/ssl/files/ca-certificates-debian-wheezy.conf
deleted file mode 100644
index 870aac54a..000000000
--- a/modules/ssl/files/ca-certificates-debian-wheezy.conf
+++ /dev/null
@@ -1,10 +0,0 @@
-# This file is under puppet control
-# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
-
-# Let's Encrypt: used by almost all Debian machines
-# Use the DST root as the ISRG one is not in wheezy yet
-#mozilla/ISRG_Root_X1.crt
-mozilla/DST_Root_CA_X3.crt
-
-# Gandi: used by *.alioth.d.o only
-mozilla/UTN_USERFirst_Hardware_Root_CA.crt
diff --git a/modules/ssl/files/ca-certificates-debian.conf b/modules/ssl/files/ca-certificates-debian.conf
index a02c01294..0c23a14fc 100644
--- a/modules/ssl/files/ca-certificates-debian.conf
+++ b/modules/ssl/files/ca-certificates-debian.conf
@@ -1,8 +1,5 @@
 # This file is under puppet control
 # Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
-
-# Let's Encrypt: used by almost all Debian machines
-mozilla/ISRG_Root_X1.crt
-
-# Gandi: used by *.alioth.d.o only
+mozilla/AddTrust_External_Root.crt
 mozilla/UTN_USERFirst_Hardware_Root_CA.crt
+mozilla/DST_Root_CA_X3.crt
diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 85e7e3558..9e900bec1 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -19,14 +19,9 @@ class ssl {
 		source => 'puppet:///modules/ssl/ca-certificates.conf',
 		notify  => Exec['refresh_normal_hashes'],
 	}
-	if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
-		$ca_debian_conf_suffix = ''
-	} else {
-		$ca_debian_conf_suffix = '-wheezy'
-	}
 	file { '/etc/ca-certificates-debian.conf':
 		mode    => '0444',
-		source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf",
+		source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
 		notify  => Exec['refresh_ca_debian_hashes'],
 	}
 	file { '/etc/ca-certificates-global.conf':