From: Paul Wise Date: Sat, 25 Mar 2017 06:52:02 +0000 (+0800) Subject: Update configuration for SSL ca-debian cert store X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=f35f47969e10aeeaf6a48ad2a0f4dbde1f2f9de3;p=mirror%2Fdsa-puppet.git Update configuration for SSL ca-debian cert store Remove AddTrust as it isn't used any more. Switch from the DST root CA to ISRG on jessie and newer for Let's Encrypt since it has less intermediate CAs. The ISRG root isn't available in wheezy ca-certificates. Document why each CA cert is being used with comments. --- diff --git a/modules/ssl/files/ca-certificates-debian-wheezy.conf b/modules/ssl/files/ca-certificates-debian-wheezy.conf new file mode 100644 index 000000000..870aac54a --- /dev/null +++ b/modules/ssl/files/ca-certificates-debian-wheezy.conf @@ -0,0 +1,10 @@ +# This file is under puppet control +# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README + +# Let's Encrypt: used by almost all Debian machines +# Use the DST root as the ISRG one is not in wheezy yet +#mozilla/ISRG_Root_X1.crt +mozilla/DST_Root_CA_X3.crt + +# Gandi: used by *.alioth.d.o only +mozilla/UTN_USERFirst_Hardware_Root_CA.crt diff --git a/modules/ssl/files/ca-certificates-debian.conf b/modules/ssl/files/ca-certificates-debian.conf index 0c23a14fc..a02c01294 100644 --- a/modules/ssl/files/ca-certificates-debian.conf +++ b/modules/ssl/files/ca-certificates-debian.conf @@ -1,5 +1,8 @@ # This file is under puppet control # Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README -mozilla/AddTrust_External_Root.crt + +# Let's Encrypt: used by almost all Debian machines +mozilla/ISRG_Root_X1.crt + +# Gandi: used by *.alioth.d.o only mozilla/UTN_USERFirst_Hardware_Root_CA.crt -mozilla/DST_Root_CA_X3.crt diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 9e900bec1..37d18c18a 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -19,9 +19,14 @@ class ssl { source => 'puppet:///modules/ssl/ca-certificates.conf', notify => Exec['refresh_normal_hashes'], } + if (versioncmp($::lsbmajdistrelease, '8') >= 0) { + $ca_debian_conf_suffix = '' + } else { + $ca_debian_conf_suffix = 'wheezy' + } file { '/etc/ca-certificates-debian.conf': mode => '0444', - source => 'puppet:///modules/ssl/ca-certificates-debian.conf', + source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf", notify => Exec['refresh_ca_debian_hashes'], } file { '/etc/ca-certificates-global.conf':