From a832220b134218ea09f160f7ad11c7a502233c65 Mon Sep 17 00:00:00 2001 From: Peter Palfrader Date: Mon, 7 Mar 2016 21:53:49 +0100 Subject: [PATCH] install ssl hostkey into /etc/ssl/private instead of /etc/ssl/debian/keys --- .../templates/default-debian.org-ssl.erb | 2 +- modules/bacula/manifests/init.pp | 4 +-- modules/roles/manifests/pubsub.pp | 2 +- modules/ssl/manifests/init.pp | 30 +++++++++++-------- modules/stunnel4/manifests/generic.pp | 2 +- modules/stunnel4/templates/stunnel.conf.erb | 2 +- .../syslog-ng/templates/syslog-ng.conf.erb | 6 ++-- 7 files changed, 26 insertions(+), 22 deletions(-) diff --git a/modules/apache2/templates/default-debian.org-ssl.erb b/modules/apache2/templates/default-debian.org-ssl.erb index a32936015..081eb4227 100644 --- a/modules/apache2/templates/default-debian.org-ssl.erb +++ b/modules/apache2/templates/default-debian.org-ssl.erb @@ -8,7 +8,7 @@ ServerAdmin debian-admin@debian.org SSLEngine on SSLCertificateFile /etc/ssl/debian/certs/thishost-server.crt - SSLCertificateKeyFile /etc/ssl/debian/keys/thishost-server.key + SSLCertificateKeyFile /etc/ssl/private/thishost-server.key SSLCertificateChainFile /etc/ssl/debian/certs/ca.crt ErrorLog /var/log/apache2/error.log diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp index 0cf33bdc4..b9d005b47 100644 --- a/modules/bacula/manifests/init.pp +++ b/modules/bacula/manifests/init.pp @@ -30,9 +30,9 @@ class bacula { $bacula_ca_path = '/etc/ssl/debian/certs/ca.crt' $bacula_ssl_client_cert = '/etc/ssl/debian/certs/thishost.crt' - $bacula_ssl_client_key = '/etc/ssl/debian/keys/thishost.key' + $bacula_ssl_client_key = '/etc/ssl/private/thishost.key' $bacula_ssl_server_cert = '/etc/ssl/debian/certs/thishost-server.crt' - $bacula_ssl_server_key = '/etc/ssl/debian/keys/thishost-server.key' + $bacula_ssl_server_key = '/etc/ssl/private/thishost-server.key' file { '/usr/local/sbin/bacula-idle-restart': mode => '0555', diff --git a/modules/roles/manifests/pubsub.pp b/modules/roles/manifests/pubsub.pp index 9134df065..38b55f718 100644 --- a/modules/roles/manifests/pubsub.pp +++ b/modules/roles/manifests/pubsub.pp @@ -19,7 +19,7 @@ class roles::pubsub { ssl => true, ssl_cacert => '/etc/ssl/debian/certs/ca.crt', ssl_cert => '/etc/ssl/debian/certs/thishost-server.crt', - ssl_key => '/etc/ssl/debian/keys/thishost-server.key', + ssl_key => '/etc/ssl/private/thishost-server.key', ssl_port => 5671, ssl_verify => 'verify_none', manage_repos => false, diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp index 5aedfbc9f..8ffe495de 100644 --- a/modules/ssl/manifests/init.pp +++ b/modules/ssl/manifests/init.pp @@ -92,22 +92,10 @@ class ssl { ensure => directory, mode => '0755', } - file { '/etc/ssl/debian/keys': - ensure => directory, - mode => '0750', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/thishost.crt': source => "puppet:///modules/ssl/clientcerts/${::fqdn}.client.crt", notify => Exec['refresh_debian_hashes'], } - file { '/etc/ssl/debian/keys/thishost.key': - source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", - mode => '0440', - group => ssl-cert, - require => Package['ssl-cert'], - } file { '/etc/ssl/debian/certs/ca.crt': source => 'puppet:///modules/ssl/clientcerts/ca.crt', notify => Exec['refresh_debian_hashes'], @@ -119,7 +107,23 @@ class ssl { source => "puppet:///modules/exim/certs/${::fqdn}.crt", notify => Exec['refresh_debian_hashes'], } - file { '/etc/ssl/debian/keys/thishost-server.key': + + #file { '/etc/ssl/debian/keys/thishost.key': + # ensure => absent, + #} + #file { '/etc/ssl/debian/keys/thishost-server.key': + # ensure => absent, + #} + #file { '/etc/ssl/debian/keys': + # ensure => absent, + #} + file { '/etc/ssl/private/thishost.key': + source => "puppet:///modules/ssl/clientcerts/${::fqdn}.key", + mode => '0440', + group => ssl-cert, + require => Package['ssl-cert'], + } + file { '/etc/ssl/private/thishost-server.key': source => "puppet:///modules/exim/certs/${::fqdn}.key", mode => '0440', group => ssl-cert, diff --git a/modules/stunnel4/manifests/generic.pp b/modules/stunnel4/manifests/generic.pp index 9c357096c..f7b556b14 100644 --- a/modules/stunnel4/manifests/generic.pp +++ b/modules/stunnel4/manifests/generic.pp @@ -9,7 +9,7 @@ define stunnel4::generic ($client, $verify, $cafile, $accept, $connect, $crlfile if $client { $certfile = '/etc/ssl/debian/certs/thishost.crt' - $keyfile = '/etc/ssl/debian/keys/thishost.key' + $keyfile = '/etc/ssl/private/thishost.key' } else { $certfile = '/etc/exim4/ssl/thishost.crt' $keyfile = '/etc/exim4/ssl/thishost.key' diff --git a/modules/stunnel4/templates/stunnel.conf.erb b/modules/stunnel4/templates/stunnel.conf.erb index 829b77a14..d2a3258ae 100644 --- a/modules/stunnel4/templates/stunnel.conf.erb +++ b/modules/stunnel4/templates/stunnel.conf.erb @@ -5,7 +5,7 @@ <%- if client -%> cert = /etc/ssl/debian/certs/thishost.crt -key = /etc/ssl/debian/keys/thishost.key +key = /etc/ssl/private/thishost.key <%- else -%> cert = /etc/exim4/ssl/thishost.crt key = /etc/exim4/ssl/thishost.key diff --git a/modules/syslog-ng/templates/syslog-ng.conf.erb b/modules/syslog-ng/templates/syslog-ng.conf.erb index 98c2fb2fe..c5a881e6f 100644 --- a/modules/syslog-ng/templates/syslog-ng.conf.erb +++ b/modules/syslog-ng/templates/syslog-ng.conf.erb @@ -399,7 +399,7 @@ log { <%- if hostname != "lotti" -%> destination loghost-lotti { tcp("lotti.debian.org" port (5140) - tls( key_file("/etc/ssl/debian/keys/thishost.key") + tls( key_file("/etc/ssl/private/thishost.key") cert_file("/etc/ssl/debian/certs/thishost.crt") ca_dir("/etc/ssl/debian/certs/") ) @@ -409,7 +409,7 @@ destination loghost-lotti { <%- if hostname != "lully" -%> destination loghost-lully { tcp("lully.debian.org" port (5140) - tls( key_file("/etc/ssl/debian/keys/thishost.key") + tls( key_file("/etc/ssl/private/thishost.key") cert_file("/etc/ssl/debian/certs/thishost.crt") ca_dir("/etc/ssl/debian/certs/") ) @@ -419,7 +419,7 @@ destination loghost-lully { <%- if hostname != "loghost-grnet-01" -%> destination loghost-loghost-grnet-01 { tcp("loghost-grnet-01.debian.org" port (5140) - tls( key_file("/etc/ssl/debian/keys/thishost.key") + tls( key_file("/etc/ssl/private/thishost.key") cert_file("/etc/ssl/debian/certs/thishost.crt") ca_dir("/etc/ssl/debian/certs/") ) -- 2.20.1