From: Julien Cristau Date: Fri, 6 Jan 2017 17:04:19 +0000 (+0100) Subject: Move {www.,}debian.org cert to LE, with separate certs X-Git-Url: https://git.adam-barratt.org.uk/?a=commitdiff_plain;h=fcd178e69f31c2bb35f10b6608b8799a69297f1d;p=mirror%2Fdsa-puppet.git Move {,}debian.org cert to LE, with separate certs --- diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp index df77c33e3..38bc685db 100644 --- a/modules/roles/manifests/static_mirror.pp +++ b/modules/roles/manifests/static_mirror.pp @@ -81,7 +81,12 @@ class roles::static_mirror { content => template('roles/apache-www.debian.org.erb'), } - ssl::service { 'www.debian.org' : ensure => "ifstatic", notify => Exec['service apache2 reload'], tlsaport => [], } + ssl::service { 'www.debian.org' : ensure => "ifstatic", notify => Exec['service apache2 reload'], key => true, } + ssl::service { 'debian.org' : + ensure => has_static_component('www.debian.org') ? { true => "present", false => "absent" }, + notify => Exec['service apache2 reload'], + key => true, + } # do ssl::service { 'appstream.debian.org' : ensure => "ifstatic", notify => Exec['service apache2 reload'], key => true, } diff --git a/modules/roles/templates/apache-www.debian.org.erb b/modules/roles/templates/apache-www.debian.org.erb index 2988fbe32..3077114a4 100644 --- a/modules/roles/templates/apache-www.debian.org.erb +++ b/modules/roles/templates/apache-www.debian.org.erb @@ -314,6 +314,6 @@ Redirect permanent / https://www.debian.org/ - Use common-debian-service-ssl www.debian.org + Use common-debian-service-ssl debian.org Use common-ssl-HSTS diff --git a/modules/ssl/files/chains/www.debian.org.crt b/modules/ssl/files/chains/www.debian.org.crt deleted file mode 120000 index 50d224a83..000000000 --- a/modules/ssl/files/chains/www.debian.org.crt +++ /dev/null @@ -1 +0,0 @@ -GANDI-2-CA \ No newline at end of file diff --git a/modules/ssl/files/servicecerts/www.debian.org.crt b/modules/ssl/files/servicecerts/www.debian.org.crt deleted file mode 100644 index 9cc058e60..000000000 --- a/modules/ssl/files/servicecerts/www.debian.org.crt +++ /dev/null @@ -1,118 +0,0 @@ -Certificate: - Data: - Version: 3 (0x2) - Serial Number: - 1b:fe:c8:2b:c0:1f:57:b6:3e:22:96:b4:9c:85:23:8b - Signature Algorithm: sha256WithRSAEncryption - Issuer: C=FR, ST=Paris, L=Paris, O=Gandi, CN=Gandi Standard SSL CA 2 - Validity - Not Before: Dec 11 00:00:00 2015 GMT - Not After : Jan 20 23:59:59 2017 GMT - Subject: OU=Domain Control Validated, OU=Gandi Standard SSL, CN=debian.org - Subject Public Key Info: - Public Key Algorithm: rsaEncryption - Public-Key: (3072 bit) - Modulus: - 00:e6:64:e5:b7:99:14:a1:9d:07:2f:e9:1a:0e:da: - 28:6e:13:8d:83:c2:87:e2:90:1b:bd:1f:12:4c:ca: - 1c:b6:3d:08:0d:c5:81:6f:8d:e2:01:76:74:7d:2d: - 04:6e:41:bf:f5:c5:8e:40:cf:c8:ed:46:b0:c8:ff: - 56:8b:53:b2:50:cf:5b:07:0f:5a:4e:b4:89:cf:d5: - 9e:de:db:a1:c9:b7:48:ff:1b:82:69:ef:97:64:93: - ab:9c:a0:57:03:4b:c7:e1:00:ca:db:5b:87:de:43: - 7f:eb:b8:46:8f:52:87:23:10:17:6f:f0:2e:bc:5c: - 3e:e6:7d:82:24:c7:1d:c0:d4:35:b6:bb:3b:74:6c: - de:f5:8d:07:a8:67:35:37:f3:a3:86:56:3c:bf:04: - ce:f9:09:28:04:4a:9d:a8:08:b1:77:81:7a:51:91: - 90:24:7e:2f:2b:6b:11:b5:cf:c6:c7:a3:57:95:01: - 00:25:4d:35:5a:c8:09:8a:67:c5:3d:0f:db:bd:06: - 65:78:7a:45:ff:cb:b0:ac:15:d0:d4:b7:a0:5e:45: - 09:da:71:39:4e:6c:a3:e7:1b:f7:55:1b:62:27:91: - 31:30:02:3f:d1:9c:b5:53:86:c0:dd:1d:05:28:72: - c7:cc:be:d2:09:17:76:2b:85:35:18:f3:09:db:67: - 9e:55:07:21:35:6a:f2:96:30:d2:8a:8f:6a:e4:78: - 6a:c4:fe:4e:9d:03:c6:16:49:a5:e4:2c:22:15:54: - c0:4e:23:82:fe:36:96:88:7e:01:50:cb:bd:4f:e2: - 50:1b:c5:fc:93:32:62:25:40:78:3f:ab:66:97:e8: - d7:51:96:87:23:fa:b6:20:fc:0a:ea:6b:8b:75:c7: - 5a:0c:67:4b:32:e1:a7:74:af:ff:1d:a6:7f:7e:ae: - 23:02:66:6c:8c:f0:7f:55:03:30:43:e8:85:cd:9f: - d0:00:9e:a5:4a:1c:7f:1f:52:06:2e:05:bc:0c:d3: - 51:6a:0b:fb:5a:a6:a4:5d:c7:31 - Exponent: 65537 (0x10001) - X509v3 extensions: - X509v3 Authority Key Identifier: - keyid:B3:90:A7:D8:C9:AF:4E:CD:61:3C:9F:7C:AD:5D:7F:41:FD:69:30:EA - - X509v3 Subject Key Identifier: - FE:E1:00:FF:AA:4F:A0:36:54:84:72:5D:42:0C:F4:E7:6F:BE:9F:D5 - X509v3 Key Usage: critical - Digital Signature, Key Encipherment - X509v3 Basic Constraints: critical - CA:FALSE - X509v3 Extended Key Usage: - TLS Web Server Authentication, TLS Web Client Authentication - X509v3 Certificate Policies: - Policy: 1.3.6.1.4.1.6449.1.2.2.26 - CPS: https://cps.usertrust.com - Policy: 2.23.140.1.2.1 - - X509v3 CRL Distribution Points: - - Full Name: - URI:http://crl.usertrust.com/GandiStandardSSLCA2.crl - - Authority Information Access: - CA Issuers - URI:http://crt.usertrust.com/GandiStandardSSLCA2.crt - OCSP - URI:http://ocsp.usertrust.com - - X509v3 Subject Alternative Name: - DNS:debian.org, DNS:www.debian.org - Signature Algorithm: sha256WithRSAEncryption - 6e:3a:cc:97:02:32:d2:45:9f:b7:8c:5e:99:c2:f0:e9:d4:84: - 72:1b:7b:f2:bd:38:6b:ab:ff:0f:76:94:96:ba:f8:5c:b2:5f: - 19:c5:b4:bb:bf:59:18:e7:e0:0f:17:8a:d9:f8:39:d0:bc:9a: - e7:e2:d2:be:03:fb:e8:f9:f9:01:d2:23:3c:29:58:54:28:43: - 3d:09:18:fe:60:53:dc:73:52:79:9d:7b:2c:44:e2:d9:48:c8: - 02:1b:08:2f:98:a0:e2:9a:1b:4a:96:ce:c9:af:10:73:e7:11: - af:ea:8b:8f:10:04:2c:e8:81:58:a9:99:ae:4a:f3:53:62:90: - ca:3d:1a:74:7c:ae:d4:e8:0b:3b:7f:5c:83:76:9f:f9:75:10: - 40:99:bd:a0:7e:9a:11:6e:db:d2:1d:1d:87:91:27:c0:dc:07: - 79:4c:e5:78:30:4d:0c:22:2b:72:fd:e0:71:a6:1c:4f:9e:ba: - 5a:13:c3:5e:be:b3:4f:ec:5b:9c:bd:dd:f1:85:1c:13:0a:23: - 65:a3:92:ac:24:bc:9f:41:4f:c9:ca:21:3f:51:9e:28:9b:8c: - a6:7d:e8:04:b2:d6:b7:be:be:00:a3:9d:64:1a:89:78:18:4d: - fa:4a:10:e8:c5:e9:6b:59:d4:14:bc:c8:e7:d6:d6:f9:7e:90: - 4e:fe:4d:bb ------BEGIN CERTIFICATE----- -MIIFbTCCBFWgAwIBAgIQG/7IK8AfV7Y+Ipa0nIUjizANBgkqhkiG9w0BAQsFADBf -MQswCQYDVQQGEwJGUjEOMAwGA1UECBMFUGFyaXMxDjAMBgNVBAcTBVBhcmlzMQ4w -DAYDVQQKEwVHYW5kaTEgMB4GA1UEAxMXR2FuZGkgU3RhbmRhcmQgU1NMIENBIDIw -HhcNMTUxMjExMDAwMDAwWhcNMTcwMTIwMjM1OTU5WjBVMSEwHwYDVQQLExhEb21h -aW4gQ29udHJvbCBWYWxpZGF0ZWQxGzAZBgNVBAsTEkdhbmRpIFN0YW5kYXJkIFNT -TDETMBEGA1UEAxMKZGViaWFuLm9yZzCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCC -AYoCggGBAOZk5beZFKGdBy/pGg7aKG4TjYPCh+KQG70fEkzKHLY9CA3FgW+N4gF2 -dH0tBG5Bv/XFjkDPyO1GsMj/VotTslDPWwcPWk60ic/Vnt7bocm3SP8bgmnvl2ST -q5ygVwNLx+EAyttbh95Df+u4Ro9ShyMQF2/wLrxcPuZ9giTHHcDUNba7O3Rs3vWN -B6hnNTfzo4ZWPL8EzvkJKARKnagIsXeBelGRkCR+LytrEbXPxsejV5UBACVNNVrI -CYpnxT0P270GZXh6Rf/LsKwV0NS3oF5FCdpxOU5so+cb91UbYieRMTACP9GctVOG -wN0dBShyx8y+0gkXdiuFNRjzCdtnnlUHITVq8pYw0oqPauR4asT+Tp0DxhZJpeQs -IhVUwE4jgv42loh+AVDLvU/iUBvF/JMyYiVAeD+rZpfo11GWhyP6tiD8Cupri3XH -WgxnSzLhp3Sv/x2mf36uIwJmbIzwf1UDMEPohc2f0ACepUocfx9SBi4FvAzTUWoL -+1qmpF3HMQIDAQABo4IBrTCCAakwHwYDVR0jBBgwFoAUs5Cn2MmvTs1hPJ98rV1/ -Qf1pMOowHQYDVR0OBBYEFP7hAP+qT6A2VIRyXUIM9Odvvp/VMA4GA1UdDwEB/wQE -AwIFoDAMBgNVHRMBAf8EAjAAMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcD -AjBLBgNVHSAERDBCMDYGCysGAQQBsjEBAgIaMCcwJQYIKwYBBQUHAgEWGWh0dHBz -Oi8vY3BzLnVzZXJ0cnVzdC5jb20wCAYGZ4EMAQIBMEEGA1UdHwQ6MDgwNqA0oDKG -MGh0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNy -bDBzBggrBgEFBQcBAQRnMGUwPAYIKwYBBQUHMAKGMGh0dHA6Ly9jcnQudXNlcnRy -dXN0LmNvbS9HYW5kaVN0YW5kYXJkU1NMQ0EyLmNydDAlBggrBgEFBQcwAYYZaHR0 -cDovL29jc3AudXNlcnRydXN0LmNvbTAlBgNVHREEHjAcggpkZWJpYW4ub3Jngg53 -d3cuZGViaWFuLm9yZzANBgkqhkiG9w0BAQsFAAOCAQEAbjrMlwIy0kWft4xemcLw -6dSEcht78r04a6v/D3aUlrr4XLJfGcW0u79ZGOfgDxeK2fg50Lya5+LSvgP76Pn5 -AdIjPClYVChDPQkY/mBT3HNSeZ17LETi2UjIAhsIL5ig4pobSpbOya8Qc+cRr+qL -jxAELOiBWKmZrkrzU2KQyj0adHyu1OgLO39cg3af+XUQQJm9oH6aEW7b0h0dh5En -wNwHeUzleDBNDCIrcv3gcaYcT566WhPDXr6zT+xbnL3d8YUcEwojZaOSrCS8n0FP -ycohP1GeKJuMpn3oBLLWt76+AKOdZBqJeBhN+koQ6MXpa1nUFLzI59bW+X6QTv5N -uw== ------END CERTIFICATE-----