BBlack has submitted this change and it was merged.
Change subject: Tree-wide certificate path replacement, localcerts
......................................................................
Tree-wide certificate path replacement, localcerts
Replace all occurences of
/etc/ssl/certs/NAME.pem
with
/etc/ssl/localcerts/NAME.crt
The latter exists since a5ccbf7118cbf9ea6a7827588c415de7a409fec5 and is
more correct, as the /etc/ssl/certs path is really the CA store in
Debian/Ubuntu systems. Move all references there, with a goal of
removing the compatibility symlinks placed by that commit above.
Change-Id: I0aa91d8658b19d44154ec4a0f94b48940afeb908
---
M manifests/role/openldap.pp
M modules/dynamicproxy/templates/domainproxy.conf
M modules/dynamicproxy/templates/urlproxy.conf
M modules/ganglia_new/manifests/web.pp
M modules/gerrit/templates/gerrit.wikimedia.org.erb
M modules/openstack/manifests/nova/compute.pp
M modules/openstack/templates/common/nova/libvirtd.conf.erb
M modules/protoproxy/templates/localssl.erb
M modules/protoproxy/templates/proxy.erb
M modules/rcstream/templates/rcstream.nginx.erb
M modules/requesttracker/templates/rt4.apache.erb
M modules/subversion/templates/apache/svn.wikimedia.org.erb
M modules/toollabs/templates/static-server.conf.erb
M modules/webserver/manifests/apache/site.pp
M templates/apache/sites/ticket.wikimedia.org.erb
M templates/apache/sites/wikitech.wikimedia.org.erb
16 files changed, 17 insertions(+), 17 deletions(-)
Approvals:
BBlack: Looks good to me, approved
jenkins-bot: Verified
diff --git a/manifests/role/openldap.pp b/manifests/role/openldap.pp
index b2b31aa..ef095b6 100644
--- a/manifests/role/openldap.pp
+++ b/manifests/role/openldap.pp
@@ -25,7 +25,7 @@
master => $master,
sync_pass => $sync_pass,
ca => '/etc/ssl/certs/ca-certificates.crt',
- certificate => "/etc/ssl/certs/ldap-mirror.wikimedia.org.pem",
+ certificate => "/etc/ssl/localcerts/ldap-mirror.wikimedia.org.crt",
key => "/etc/ssl/private/ldap-mirror.wikimedia.org.key",
}
diff --git a/modules/dynamicproxy/templates/domainproxy.conf
b/modules/dynamicproxy/templates/domainproxy.conf
index 08f28fc..833f224 100644
--- a/modules/dynamicproxy/templates/domainproxy.conf
+++ b/modules/dynamicproxy/templates/domainproxy.conf
@@ -36,7 +36,7 @@
# Serve both HTTP and HTTPS
listen 443 default_server ssl spdy;
- ssl_certificate /etc/ssl/certs/<%= @ssl_certificate_name %>.chained.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @ssl_certificate_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
# Copied from templates/nginx/nginx.conf.erb. Eugh
diff --git a/modules/dynamicproxy/templates/urlproxy.conf
b/modules/dynamicproxy/templates/urlproxy.conf
index 6b2dbcf..9f334ca 100644
--- a/modules/dynamicproxy/templates/urlproxy.conf
+++ b/modules/dynamicproxy/templates/urlproxy.conf
@@ -36,7 +36,7 @@
# Serve both HTTP and HTTPS
listen 443 default_server ssl spdy;
- ssl_certificate /etc/ssl/certs/<%= @ssl_certificate_name %>.chained.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @ssl_certificate_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
# Copied from templates/nginx/nginx.conf.erb. Eugh
diff --git a/modules/ganglia_new/manifests/web.pp
b/modules/ganglia_new/manifests/web.pp
index 5ce4a34..0c6d726 100644
--- a/modules/ganglia_new/manifests/web.pp
+++ b/modules/ganglia_new/manifests/web.pp
@@ -12,7 +12,7 @@
$ganglia_servername = 'ganglia.wikimedia.org'
$ganglia_serveralias = 'uranium.wikimedia.org'
$ganglia_webdir = '/usr/share/ganglia-webfrontend'
- $ganglia_ssl_cert = '/etc/ssl/certs/ganglia.wikimedia.org.pem'
+ $ganglia_ssl_cert = '/etc/ssl/localcerts/ganglia.wikimedia.org.crt'
$ganglia_ssl_key = '/etc/ssl/private/ganglia.wikimedia.org.key'
$ssl_settings = ssl_ciphersuite('apache-2.4', 'compat')
diff --git a/modules/gerrit/templates/gerrit.wikimedia.org.erb
b/modules/gerrit/templates/gerrit.wikimedia.org.erb
index c4a89b3..e2f519f 100644
--- a/modules/gerrit/templates/gerrit.wikimedia.org.erb
+++ b/modules/gerrit/templates/gerrit.wikimedia.org.erb
@@ -47,7 +47,7 @@
ServerName <%= @host %>
SSLEngine on
- SSLCertificateFile /etc/ssl/certs/<%= @ssl_cert %>.pem
+ SSLCertificateFile /etc/ssl/localcerts/<%= @ssl_cert %>.crt
SSLCertificateKeyFile /etc/ssl/private/<%= @ssl_cert_key %>.key
SSLCACertificatePath /etc/ssl/certs/
<%= @ssl_settings.join("\n") %>
diff --git a/modules/openstack/manifests/nova/compute.pp
b/modules/openstack/manifests/nova/compute.pp
index d22b760..e5c1b08 100644
--- a/modules/openstack/manifests/nova/compute.pp
+++ b/modules/openstack/manifests/nova/compute.pp
@@ -13,7 +13,7 @@
require => Install_additional_key["${certname}"];
"/var/lib/nova/clientcert.pem":
ensure => link,
- target => "/etc/ssl/certs/${certname}.pem",
+ target => "/etc/ssl/localcerts/${certname}.crt",
require => Install_certificate["${certname}"];
"/var/lib/nova/cacert.pem":
ensure => link,
diff --git a/modules/openstack/templates/common/nova/libvirtd.conf.erb
b/modules/openstack/templates/common/nova/libvirtd.conf.erb
index 7a952d0..5f655b2 100644
--- a/modules/openstack/templates/common/nova/libvirtd.conf.erb
+++ b/modules/openstack/templates/common/nova/libvirtd.conf.erb
@@ -168,7 +168,7 @@
# Override the default server certificate file path
#
-cert_file = "/etc/ssl/certs/virt-star.<%= site %>.wmnet.pem"
+cert_file = "/etc/ssl/localcerts/virt-star.<%= site %>.wmnet.crt"
# Override the default CA certificate path
#
diff --git a/modules/protoproxy/templates/localssl.erb
b/modules/protoproxy/templates/localssl.erb
index d71921f..08e123e 100644
--- a/modules/protoproxy/templates/localssl.erb
+++ b/modules/protoproxy/templates/localssl.erb
@@ -11,7 +11,7 @@
error_log /var/log/nginx/<%= @name %>.error.log;
access_log off;
- ssl_certificate /etc/ssl/certs/<%= @proxy_server_cert_name
%>.chained.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @proxy_server_cert_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @proxy_server_cert_name %>.key;
keepalive_timeout 60;
diff --git a/modules/protoproxy/templates/proxy.erb
b/modules/protoproxy/templates/proxy.erb
index f8b054f..28ecaab 100644
--- a/modules/protoproxy/templates/proxy.erb
+++ b/modules/protoproxy/templates/proxy.erb
@@ -46,7 +46,7 @@
error_log /var/log/nginx/<%= @name %>.error.log;
access_log off;
- ssl_certificate /etc/ssl/certs/<%= @proxy_server_cert_name
%>.chained.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @proxy_server_cert_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @proxy_server_cert_name %>.key;
keepalive_timeout 60;
diff --git a/modules/rcstream/templates/rcstream.nginx.erb
b/modules/rcstream/templates/rcstream.nginx.erb
index 5700a2b..ee71d26 100644
--- a/modules/rcstream/templates/rcstream.nginx.erb
+++ b/modules/rcstream/templates/rcstream.nginx.erb
@@ -19,7 +19,7 @@
error_log /var/log/nginx/rcstream_<%= 'ssl_' if @use_ssl %>error.log;
<%- if @use_ssl -%>
- ssl_certificate /etc/ssl/certs/<%= @server_name %>.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @server_name %>.crt;
ssl_certificate_key /etc/ssl/private/<%= @server_name %>.key;
<%- end -%>
diff --git a/modules/requesttracker/templates/rt4.apache.erb
b/modules/requesttracker/templates/rt4.apache.erb
index c643303..a4875bd 100644
--- a/modules/requesttracker/templates/rt4.apache.erb
+++ b/modules/requesttracker/templates/rt4.apache.erb
@@ -14,7 +14,7 @@
ServerName <%=@apache_site%>
SSLEngine on
- SSLCertificateFile /etc/ssl/certs/rt.wikimedia.org.pem
+ SSLCertificateFile /etc/ssl/localcerts/rt.wikimedia.org.crt
SSLCertificateKeyFile /etc/ssl/private/rt.wikimedia.org.key
SSLCACertificatePath /etc/ssl/certs
<%= @ssl_settings.join("\n") %>
diff --git a/modules/subversion/templates/apache/svn.wikimedia.org.erb
b/modules/subversion/templates/apache/svn.wikimedia.org.erb
index 9e3fbf2..701c329 100644
--- a/modules/subversion/templates/apache/svn.wikimedia.org.erb
+++ b/modules/subversion/templates/apache/svn.wikimedia.org.erb
@@ -49,7 +49,7 @@
DocumentRoot /srv/org/wikimedia/svn
SSLEngine on
- SSLCertificateFile /etc/ssl/certs/svn.wikimedia.org.pem
+ SSLCertificateFile /etc/ssl/localcerts/svn.wikimedia.org.crt
SSLCertificateKeyFile /etc/ssl/private/svn.wikimedia.org.key
SSLCACertificatePath /etc/ssl/certs/
<%= @ssl_settings.join("\n") %>
diff --git a/modules/toollabs/templates/static-server.conf.erb
b/modules/toollabs/templates/static-server.conf.erb
index 6fe193d..be7516e 100644
--- a/modules/toollabs/templates/static-server.conf.erb
+++ b/modules/toollabs/templates/static-server.conf.erb
@@ -21,7 +21,7 @@
# Serve both HTTP and HTTPS
listen 443 default_server ssl spdy;
- ssl_certificate /etc/ssl/certs/<%= @ssl_certificate_name %>.chained.pem;
+ ssl_certificate /etc/ssl/localcerts/<%= @ssl_certificate_name
%>.chained.crt;
ssl_certificate_key /etc/ssl/private/<%= @ssl_certificate_name %>.key;
# Copied from templates/nginx/nginx.conf.erb. Eugh
diff --git a/modules/webserver/manifests/apache/site.pp
b/modules/webserver/manifests/apache/site.pp
index 358f436..954736a 100644
--- a/modules/webserver/manifests/apache/site.pp
+++ b/modules/webserver/manifests/apache/site.pp
@@ -4,7 +4,7 @@
# Parameters:
# $aliases=[] - array of ServerAliases
# $ssl="false" - if true, sets up an ssl certificate for $title
-# $certfile=undef - defaults to /etc/ssl/certs/${title}.pem
+# $certfile=undef - defaults to /etc/ssl/localcerts/${title}.crt
# $certkey=undef - defaults to "/etc/ssl/private/${title}.key
# $docroot=undef - defaults to: $title == 'stats.wikimedia.org', then
/srv/stats.wikimedia.org
# $custom=[] - custom Apache config strings to put into virtual host
site file
@@ -19,7 +19,7 @@
define webserver::apache::site(
$aliases = [],
$ssl = 'false',
- $certfile = "/etc/ssl/certs/${title}.pem",
+ $certfile = "/etc/ssl/localcerts/${title}.crt",
$certkey = "/etc/ssl/private/${title}.key",
$docroot = undef,
$custom = [],
diff --git a/templates/apache/sites/ticket.wikimedia.org.erb
b/templates/apache/sites/ticket.wikimedia.org.erb
index eabcfd3..414f1d9 100644
--- a/templates/apache/sites/ticket.wikimedia.org.erb
+++ b/templates/apache/sites/ticket.wikimedia.org.erb
@@ -19,7 +19,7 @@
ServerAlias iodine.wikimedia.org
SSLEngine On
- SSLCertificateFile /etc/ssl/certs/ticket.wikimedia.org.chained.pem
+ SSLCertificateFile /etc/ssl/localcerts/ticket.wikimedia.org.chained.crt
SSLCertificateKeyFile /etc/ssl/private/ticket.wikimedia.org.key
SSLCACertificatePath /etc/ssl/certs/
<%= @ssl_settings.join("\n") %>
diff --git a/templates/apache/sites/wikitech.wikimedia.org.erb
b/templates/apache/sites/wikitech.wikimedia.org.erb
index d1dcab6..d820b43 100644
--- a/templates/apache/sites/wikitech.wikimedia.org.erb
+++ b/templates/apache/sites/wikitech.wikimedia.org.erb
@@ -45,7 +45,7 @@
ServerName <%= @webserver_hostname %>
SSLEngine on
- SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
+ SSLCertificateFile /etc/ssl/localcerts/<%= @certificate %>.crt
SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
SSLCACertificatePath /etc/ssl/certs/
<%= @ssl_settings.join("\n") %>
--
To view, visit https://gerrit.wikimedia.org/r/197330
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: merged
Gerrit-Change-Id: I0aa91d8658b19d44154ec4a0f94b48940afeb908
Gerrit-PatchSet: 3
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: Faidon Liambotis <[email protected]>
Gerrit-Reviewer: BBlack <[email protected]>
Gerrit-Reviewer: coren <[email protected]>
Gerrit-Reviewer: jenkins-bot <>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
