summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2018-04-15 11:58:44 +0200
committerJan Dittberner <jandd@cacert.org>2018-04-15 11:58:44 +0200
commit0506e6e014994cd8dd89732921846b3d24688baa (patch)
tree39217be87875ab44f60d9ee44ab5ace582072557
parent0fdaf10c154a4860d71d3f4ba16b2086784cb3b9 (diff)
downloadcacert-puppet-0506e6e014994cd8dd89732921846b3d24688baa.tar.gz
cacert-puppet-0506e6e014994cd8dd89732921846b3d24688baa.tar.xz
cacert-puppet-0506e6e014994cd8dd89732921846b3d24688baa.zip
Setup hourly cron job to update CRLs
-rwxr-xr-xsitemodules/profiles/files/base/update-crls25
-rw-r--r--sitemodules/profiles/manifests/base.pp20
2 files changed, 45 insertions, 0 deletions
diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/files/base/update-crls
new file mode 100755
index 0000000..6c1e8d2
--- /dev/null
+++ b/sitemodules/profiles/files/base/update-crls
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+ if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+ then
+ openssl crl -inform DER -in "$crl" -out "$crl".pem
+ else
+ echo "Error: Could not validate the CRL at $crl" >&2
+ fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+
+service apache2 reload > /dev/null
+
+exit 0
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index edead76..48afaac 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -179,4 +179,24 @@ class profiles::base (
ensure => present,
recipient => $rootalias,
}
+
+ package { ['ca-certificates', 'ca-cacert']:
+ ensure => installed,
+ }
+
+ file { '/var/local/ssl/crls':
+ ensure => directory,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ }
+
+ file { '/etc/cron.hourly/update-crls':
+ ensure => file,
+ owner => 'root',
+ group => 'root',
+ mode => '0755',
+ source => 'puppet:///modules/profiles/base/update-crls',
+ require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+ }
}