From 20b6f788fe5f8a96ec11f1c0b1a84219d219a75a Mon Sep 17 00:00:00 2001 From: Paul Wise Date: Tue, 2 Jun 2015 13:17:59 +0800 Subject: [PATCH] Merge the SSL README files into one file in /etc/ssl/ Having individual README files in the CA dirs upsets wget: ERROR: Failed to open cert /etc/ssl/ca-debian/README: (0). --- modules/samhain/templates/samhainrc.erb | 1 + modules/ssl/files/README | 44 +++++++++++++++++++++++++ modules/ssl/files/README.ca-debian | 13 -------- modules/ssl/files/README.ca-global | 13 -------- modules/ssl/files/README.certs | 8 ----- modules/ssl/manifests/init.pp | 13 ++++---- 6 files changed, 52 insertions(+), 40 deletions(-) create mode 100644 modules/ssl/files/README delete mode 100644 modules/ssl/files/README.ca-debian delete mode 100644 modules/ssl/files/README.ca-global delete mode 100644 modules/ssl/files/README.certs diff --git a/modules/samhain/templates/samhainrc.erb b/modules/samhain/templates/samhainrc.erb index 09903f656..514c26797 100644 --- a/modules/samhain/templates/samhainrc.erb +++ b/modules/samhain/templates/samhainrc.erb @@ -455,6 +455,7 @@ dir=3/etc/facter file=/etc/ferm/conf.d/me.conf file=/etc/ferm/conf.d/defs.conf file=/etc/ferm/ferm.conf +file=/etc/ssl/README dir=2/etc/ssl/debian dir=1/etc/ssl/certs dir=1/etc/ssl/ca-debian diff --git a/modules/ssl/files/README b/modules/ssl/files/README new file mode 100644 index 000000000..b87d282fd --- /dev/null +++ b/modules/ssl/files/README @@ -0,0 +1,44 @@ +/------------------------------------------------------------------------------ +| /etc/ssl/certs + +The purpose of this directory is to allow verification of service certificates +for debian.org services by software that is able to properly verify service +certificates that are available in the default certificate store. + +Please *use it* in preference to other certificate stores when possible. + +/------------------------------------------------------------------------------ +| /etc/ssl/ca-debian + +This directory contains the certificate(s) for the certificate authorities +that have signed current service certificates for debian.org services. + +The purpose of this directory is to allow verification of service certificates +for debian.org services by software that is unable to properly verify service +certificates that are available in the default certificate store. + +Please *do not* use it for verification of debian.org service certificates +unless the software you are using is buggy and there is no other alternative. +Please *file bugs* on any software that you find that needs to use this +directory and usertag those bugs using this bts command: + +bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team + +/------------------------------------------------------------------------------ +| /etc/ssl/ca-global + +This directory contains all of the certificates for certificate authorities +trusted by the ca-certificates Debian package, which is mostly a copy +of the certificates trusted by the Mozilla certificate store. + +The purpose of this directory is to allow verification of certificates from +a wide variety of external services on the global Internet that could +change their certificate at any time and could change their certificate +signing authority at any time. + +Please *do not* use it for verification of debian.org service certificates. + +Please *do not* use it for verification of certificates when pinning to a +specific service certificate or certificate authority is a viable option. +This directory *only* contains the certificate(s) for the current service +certificates for debian.org services. diff --git a/modules/ssl/files/README.ca-debian b/modules/ssl/files/README.ca-debian deleted file mode 100644 index 316bd8d32..000000000 --- a/modules/ssl/files/README.ca-debian +++ /dev/null @@ -1,13 +0,0 @@ -This directory contains the certificate(s) for the certificate authorities -that have signed current service certificates for debian.org services. - -The purpose of this directory is to allow verification of service certificates -for debian.org services by software that is unable to properly verify service -certificates that are available in the default certificate store. - -Please *do not* use it for verification of debian.org service certificates -unless the software you are using is buggy and there is no other alternative. -Please *file bugs* on any software that you find that needs to use this -directory and usertag those bugs using this bts command: - -bts user debian-admin@lists.debian.org , usertags 123456 + needed-by-DSA-Team diff --git a/modules/ssl/files/README.ca-global b/modules/ssl/files/README.ca-global deleted file mode 100644 index 5fb1778f0..000000000 --- a/modules/ssl/files/README.ca-global +++ /dev/null @@ -1,13 +0,0 @@ -This directory contains all of the certificates for certificate authorities -trusted by the ca-certificates Debian package, which is mostly a copy -of the certificates trusted by the Mozilla certificate store. - -The purpose of this directory is to allow verification of certificates from -a wide variety of external services on the global Internet that could -change their certificate at any time and could change their certificate -signing authority at any time. - -Please *do not* use it for verification of debian.org service certificates. - -Please *do not* use it for verification of certificates when pinning to a -specific service certificate or certificate authority is a viable option. diff --git a/modules/ssl/files/README.certs b/modules/ssl/files/README.certs deleted file mode 100644 index edf4cc67b..000000000 --- a/modules/ssl/files/README.certs +++ /dev/null @@ -1,8 +0,0 @@ -This directory *only* contains the certificate(s) for the current service -certificates for debian.org services. - -The purpose of this directory is to allow verification of service certificates -for debian.org services by software that is able to properly verify service -certificates that are available in the default certificate store. - -Please *use it* in preference to other certificate stores when possible. diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 17d028509..5aedfbc9f 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -11,6 +11,10 @@ class ssl { ensure => installed, } + file { '/etc/ssl/README': + mode => '0444', + source => 'puppet:///modules/ssl/README', + } file { '/etc/ca-certificates.conf': source => 'puppet:///modules/ssl/ca-certificates.conf', notify => Exec['refresh_normal_hashes'], @@ -56,24 +60,21 @@ class ssl { notify => Exec['refresh_normal_hashes'], } file { '/etc/ssl/certs/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.certs', + ensure => absent, } file { '/etc/ssl/ca-debian': ensure => directory, mode => '0755', } file { '/etc/ssl/ca-debian/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.ca-debian', + ensure => absent, } file { '/etc/ssl/ca-global': ensure => directory, mode => '0755', } file { '/etc/ssl/ca-global/README': - mode => '0444', - source => 'puppet:///modules/ssl/README.ca-global', + ensure => absent, } file { '/etc/ssl/debian': ensure => directory, -- 2.20.1