Faidon Liambotis has uploaded a new change for review.
https://gerrit.wikimedia.org/r/197340
Change subject: sslcert: add sslcert::chainedcert
......................................................................
sslcert: add sslcert::chainedcert
Create a new definition, responsible for generating chained
certificates. This replaces the old create_chained_cert definition that
existed within certs.pp.
Change-Id: Ib99bd2e05e0bb6cb8126b6d2313148f7a3ec67b0
---
M manifests/certs.pp
A modules/sslcert/manifests/chainedcert.pp
2 files changed, 59 insertions(+), 32 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/40/197340/1
diff --git a/manifests/certs.pp b/manifests/certs.pp
index 53ed213..1f5f3df 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -1,34 +1,3 @@
-define create_chained_cert(
- $ca,
- $certname = $name,
- $user = 'root',
- $group = 'ssl-cert',
- $location = '/etc/ssl/localcerts',
-) {
- # chained cert, used when needing to provide
- # an entire certificate chain to a client
- # NOTE: This is annoying because to work right regardless of whether
- # the root CA comes from the OS or us, we need to use the /etc/ssl/certs/
- # linkfarm so filenames need to use '*.pem'.
-
- exec { "${name}_create_chained_cert":
- creates => "${location}/${certname}.chained.crt",
- command => "/bin/cat /etc/ssl/localcerts/${certname}.crt ${ca} >
${location}/${certname}.chained.crt",
- cwd => '/etc/ssl/certs',
- require => [Package['openssl'],
- File["/etc/ssl/localcerts/${certname}.crt"],
- ],
- }
- # Fix permissions on the chained file, and make it available as
- file { "${location}/${certname}.chained.crt":
- ensure => 'file',
- mode => '0444',
- owner => $user,
- group => $group,
- require => Exec["${name}_create_chained_cert"],
- }
-}
-
define install_certificate(
$group = 'ssl-cert',
$ca = '',
@@ -72,9 +41,10 @@
default => 'wmf-ca.pem',
}
}
- create_chained_cert{ $name:
+ sslcert::chainedcert { $name:
ca => $cas,
}
+
}
class certificates::base {
diff --git a/modules/sslcert/manifests/chainedcert.pp
b/modules/sslcert/manifests/chainedcert.pp
new file mode 100644
index 0000000..a952e42
--- /dev/null
+++ b/modules/sslcert/manifests/chainedcert.pp
@@ -0,0 +1,57 @@
+# == Define: sslcert::chainedcert
+#
+# Creates a X.509 certificate chain based on an existing certificate on the
+# system. Implicitly depends on sslcert::certificate.
+#
+# The chained certificate is written to /etc/ssl/localcerts as
+# ${title}.chained.crt. The chain is constructed automatically, up to a
+# self-signed CA as found in the /etc/ssl/certs system directory. If multiple
+# paths to a CA exist -as is the case with cross-signed authorities- the
+# shortest path is picked. The top-most certificate (root CA) is NOT included,
+# to minimize the size's chain for performance reasons, with no loss of
+# usability.
+#
+# === Parameters
+#
+# [*ensure*]
+# If 'present', the certificate chain will be installed; if 'absent', it
+# will be removed. The default is 'present'.
+#
+# === Examples
+#
+# sslcert::chainedcert { 'pinkunicorn.wikimedia.org':
+# ensure => present,
+# }
+#
+
+define sslcert::chainedcert(
+ $ca,
+ $ensure=present,
+ $group='ssl-cert',
+) {
+ require sslcert
+
+ validate_ensure($ensure)
+
+ if $ensure == 'present' {
+ exec { "${title}_create_chained_cert":
+ creates => "/etc/ssl/localcerts/${title}.chained.crt",
+ command => "/bin/cat /etc/ssl/localcerts/${title}.crt ${ca} >
/etc/ssl/localcerts/${title}.chained.crt",
+ cwd => '/etc/ssl/certs',
+ require => Sslcert::Certificate[$title],
+ }
+
+ # set owner/group/permissions on the chained file
+ file { "/etc/ssl/localcerts/${title}.chained.crt":
+ ensure => $ensure,
+ mode => '0444',
+ owner => 'root',
+ group => $group,
+ require => Exec["${title}_create_chained_cert"],
+ }
+ } else {
+ file { "/etc/ssl/localcerts/${title}.chained.crt":
+ ensure => $ensure,
+ }
+ }
+}
--
To view, visit https://gerrit.wikimedia.org/r/197340
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: Ib99bd2e05e0bb6cb8126b6d2313148f7a3ec67b0
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
