From 96cd3ed6d32efe39605dd9b661fa759c4600f6bf Mon Sep 17 00:00:00 2001
From: Julien Cristau <jcristau@debian.org>
Date: Sat, 31 Dec 2016 18:46:17 +0100
Subject: [PATCH] Remove TLSA record for remaining gandi certificates

---
 modules/roles/manifests/dbmaster.pp      | 1 +
 modules/roles/manifests/init.pp          | 1 +
 modules/roles/manifests/rtc.pp           | 1 +
 modules/roles/manifests/static_mirror.pp | 2 +-
 4 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/modules/roles/manifests/dbmaster.pp b/modules/roles/manifests/dbmaster.pp
index 56b7433fb..c45a1389a 100644
--- a/modules/roles/manifests/dbmaster.pp
+++ b/modules/roles/manifests/dbmaster.pp
@@ -14,6 +14,7 @@ class roles::dbmaster {
 
 	ssl::service { 'db.debian.org':
 		notify  => Exec['service apache2 reload'],
+		tlsaport => [],
 	}
 
 	roles::pubsub::config { 'generate':
diff --git a/modules/roles/manifests/init.pp b/modules/roles/manifests/init.pp
index aa8c2a058..d2527978e 100644
--- a/modules/roles/manifests/init.pp
+++ b/modules/roles/manifests/init.pp
@@ -45,6 +45,7 @@ class roles {
 	if has_role('bugs_base') {
 		ssl::service { 'bugs.debian.org':
 			notify  => Exec['service apache2 reload'],
+			tlsaport => [],
 		}
 	}
 	if has_role('bugs_master') {
diff --git a/modules/roles/manifests/rtc.pp b/modules/roles/manifests/rtc.pp
index 0888833ea..888b1137c 100644
--- a/modules/roles/manifests/rtc.pp
+++ b/modules/roles/manifests/rtc.pp
@@ -6,6 +6,7 @@ class roles::rtc {
 	}
 
 	ssl::service { 'sip-ws.debian.org':
+		tlsaport => [],
 	}
 
 	dnsextras::tlsa_record{ 'tlsa-xmpp':
diff --git a/modules/roles/manifests/static_mirror.pp b/modules/roles/manifests/static_mirror.pp
index 1e96951ad..de46c650a 100644
--- a/modules/roles/manifests/static_mirror.pp
+++ b/modules/roles/manifests/static_mirror.pp
@@ -81,7 +81,7 @@ class roles::static_mirror {
 		content => template('roles/apache-www.debian.org.erb'),
 	}
 
-	ssl::service { 'www.debian.org'      : ensure => "ifstatic", notify  => Exec['service apache2 reload'], }
+	ssl::service { 'www.debian.org'      : ensure => "ifstatic", notify  => Exec['service apache2 reload'], tlsaport => [], }
 
 	# do
 	ssl::service { 'appstream.debian.org'          : ensure => "ifstatic", notify  => Exec['service apache2 reload'], key => true, }
-- 
2.20.1