From f35f47969e10aeeaf6a48ad2a0f4dbde1f2f9de3 Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs@debian.org>
Date: Sat, 25 Mar 2017 14:52:02 +0800
Subject: [PATCH] Update configuration for SSL ca-debian cert store

Remove AddTrust as it isn't used any more.

Switch from the DST root CA to ISRG on jessie and newer
for Let's Encrypt since it has less intermediate CAs.
The ISRG root isn't available in wheezy ca-certificates.

Document why each CA cert is being used with comments.
---
 modules/ssl/files/ca-certificates-debian-wheezy.conf | 10 ++++++++++
 modules/ssl/files/ca-certificates-debian.conf        |  7 +++++--
 modules/ssl/manifests/init.pp                        |  7 ++++++-
 3 files changed, 21 insertions(+), 3 deletions(-)
 create mode 100644 modules/ssl/files/ca-certificates-debian-wheezy.conf

diff --git a/modules/ssl/files/ca-certificates-debian-wheezy.conf b/modules/ssl/files/ca-certificates-debian-wheezy.conf
new file mode 100644
index 000000000..870aac54a
--- /dev/null
+++ b/modules/ssl/files/ca-certificates-debian-wheezy.conf
@@ -0,0 +1,10 @@
+# This file is under puppet control
+# Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
+
+# Let's Encrypt: used by almost all Debian machines
+# Use the DST root as the ISRG one is not in wheezy yet
+#mozilla/ISRG_Root_X1.crt
+mozilla/DST_Root_CA_X3.crt
+
+# Gandi: used by *.alioth.d.o only
+mozilla/UTN_USERFirst_Hardware_Root_CA.crt
diff --git a/modules/ssl/files/ca-certificates-debian.conf b/modules/ssl/files/ca-certificates-debian.conf
index 0c23a14fc..a02c01294 100644
--- a/modules/ssl/files/ca-certificates-debian.conf
+++ b/modules/ssl/files/ca-certificates-debian.conf
@@ -1,5 +1,8 @@
 # This file is under puppet control
 # Only the CAs for debian.org are trusted, see /etc/ssl/ca-debian/README
-mozilla/AddTrust_External_Root.crt
+
+# Let's Encrypt: used by almost all Debian machines
+mozilla/ISRG_Root_X1.crt
+
+# Gandi: used by *.alioth.d.o only
 mozilla/UTN_USERFirst_Hardware_Root_CA.crt
-mozilla/DST_Root_CA_X3.crt
diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 9e900bec1..37d18c18a 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -19,9 +19,14 @@ class ssl {
 		source => 'puppet:///modules/ssl/ca-certificates.conf',
 		notify  => Exec['refresh_normal_hashes'],
 	}
+	if (versioncmp($::lsbmajdistrelease, '8') >= 0) {
+		$ca_debian_conf_suffix = ''
+	} else {
+		$ca_debian_conf_suffix = 'wheezy'
+	}
 	file { '/etc/ca-certificates-debian.conf':
 		mode    => '0444',
-		source => 'puppet:///modules/ssl/ca-certificates-debian.conf',
+		source => "puppet:///modules/ssl/ca-certificates-debian${ca_debian_conf_suffix}.conf",
 		notify  => Exec['refresh_ca_debian_hashes'],
 	}
 	file { '/etc/ca-certificates-global.conf':
-- 
2.20.1