summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2020-06-06 13:32:11 +0200
committerJan Dittberner <jandd@cacert.org>2020-06-06 13:32:11 +0200
commit6b76f18c067a29039bd813825238862c8ae0c415 (patch)
treefe508ff715cf3689dbac812d8e1d2fa4e95e1672
parent465329d7cda940325c020ea9393bed49ea19a321 (diff)
downloadcacert-puppet-6b76f18c067a29039bd813825238862c8ae0c415.tar.gz
cacert-puppet-6b76f18c067a29039bd813825238862c8ae0c415.tar.xz
cacert-puppet-6b76f18c067a29039bd813825238862c8ae0c415.zip
Switch roundcube to x509cert_common with webmail certificate
I issued a new server certificate for webmail.cacert.org with community.cacert.org as subject alternative name. This commit adds the new key and certificate and switches the certificate management to the profiles::x509cert_common module added for nginx on email before. The ssl_cipher parameter has been split to multiple lines for better readability. I kept the old certificate management statements to allow a smooth transition to the new files. If everything works with the new files I will add another commit to remove the old files from the system.
-rw-r--r--hieradata/nodes/community.yaml252
-rw-r--r--sitemodules/profiles/manifests/roundcube.pp63
2 files changed, 163 insertions, 152 deletions
diff --git a/hieradata/nodes/community.yaml b/hieradata/nodes/community.yaml
index b5d72bd..45d13de 100644
--- a/hieradata/nodes/community.yaml
+++ b/hieradata/nodes/community.yaml
@@ -38,132 +38,6 @@ profiles::roundcube::master_password: >
qukXDDBcBgkqhkiG9w0BBwEwHQYJYIZIAWUDBAEqBBBA45dXYksd5BAhgFD7
5NP+gDDvF8Cgnhpi/DhvI0fzwYJaLwelYhplqcWXJhml/58/yhYllUZVE/Cz
smDHq+RA9UI=]
-profiles::roundcube::server_certificate: |
- -----BEGIN CERTIFICATE-----
- MIIHnjCCBYagAwIBAgIDFHywMA0GCSqGSIb3DQEBDQUAMHkxEDAOBgNVBAoTB1Jv
- b3QgQ0ExHjAcBgNVBAsTFWh0dHA6Ly93d3cuY2FjZXJ0Lm9yZzEiMCAGA1UEAxMZ
- Q0EgQ2VydCBTaWduaW5nIEF1dGhvcml0eTEhMB8GCSqGSIb3DQEJARYSc3VwcG9y
- dEBjYWNlcnQub3JnMB4XDTIwMDIxOTExMzk1M1oXDTIyMDIxODExMzk1M1owYTEL
- MAkGA1UEBhMCQVUxDDAKBgNVBAgTA05TVzEPMA0GA1UEBxMGU3lkbmV5MRQwEgYD
- VQQKEwtDQWNlcnQgSW5jLjEdMBsGA1UEAxMUY29tbXVuaXR5LmNhY2VydC5vcmcw
- ggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQDKY4Bz8s5f0AK56dGIl8y1
- qnLyNhJr2pxJF9PInO33meBiCqpoTWpPHyIO51NGeySrlW35ZXUzp6tBMptXQict
- J7PkQcSf+lEn1AmRtWHIFNf/uM5IlgoomKktbAkkK+PLOtDBuZ40sKnRY1ooJ9ZK
- UnOrb5puz1D+JHp8JYxkPfknCNAZLeNPXqn9QqnpFKk8/c2CrVF8hShk/k5t2Dpr
- Q0Et9FkPOYBru9p5LQXQBA5QKPg1ESAVKYxRLbR4tJ02we6rOKWgLCnETlMmdjky
- NgaDG6dg79wNKu/uuYyQSXaAnJU67RGXNxIpudOlZ0c2+467mWDFaUHY4yzGTquq
- OGhMDXJu2fe7kDcBP8qH9YeIhN1WSLSnN4cbIP9UVxZXNfZ0WnA2Drj8iGlpL48v
- vBzuUD6EZ+WTeOkoapb0CRGAB+wdMQ6Tg+87tx8vUkhilk3NZ3kKRzOoDKiDisK9
- /WFh8aU7Eq62V15TmzOOkCHmXME1KH2CuzG4MQzalFz8ahRQQnezEMt91uHvCZya
- t5lcGr9W57FnYcxG6KqUO4iV6HWmJYXYhl5PfpEKzKktceH1PnuDptnE8mtdJW1T
- 8p43ubgcAGxEvsq6nbeY76b1xlIkq1/NEL3BPDSoz+Tnz5MwLKjHQcqA7Av/KRH3
- VBnw4YI0VtGxZnz4wjyA8wIDAQABo4ICRTCCAkEwDAYDVR0TAQH/BAIwADAOBgNV
- HQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUFBwMBBglghkgB
- hvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsGAQUFBzABhhdo
- dHRwOi8vb2NzcC5jYWNlcnQub3JnLzAxBgNVHR8EKjAoMCagJKAihiBodHRwOi8v
- Y3JsLmNhY2VydC5vcmcvcmV2b2tlLmNybDCCAYEGA1UdEQSCAXgwggF0ghRjb21t
- dW5pdHkuY2FjZXJ0Lm9yZ6AiBggrBgEFBQcIBaAWDBRjb21tdW5pdHkuY2FjZXJ0
- Lm9yZ4Ibbm9jZXJ0LmNvbW11bml0eS5jYWNlcnQub3JnoCkGCCsGAQUFBwgFoB0M
- G25vY2VydC5jb21tdW5pdHkuY2FjZXJ0Lm9yZ4IZY2VydC5jb21tdW5pdHkuY2Fj
- ZXJ0Lm9yZ6AnBggrBgEFBQcIBaAbDBljZXJ0LmNvbW11bml0eS5jYWNlcnQub3Jn
- ghBlbWFpbC5jYWNlcnQub3JnoB4GCCsGAQUFBwgFoBIMEGVtYWlsLmNhY2VydC5v
- cmeCF25vY2VydC5lbWFpbC5jYWNlcnQub3JnoCUGCCsGAQUFBwgFoBkMF25vY2Vy
- dC5lbWFpbC5jYWNlcnQub3JnghVjZXJ0LmVtYWlsLmNhY2VydC5vcmegIwYIKwYB
- BQUHCAWgFwwVY2VydC5lbWFpbC5jYWNlcnQub3JnMA0GCSqGSIb3DQEBDQUAA4IC
- AQAZO0nwoA6/kYbl/xpKvBCS0HVJcGhKWDG/P9RhJnimeW9637o+8LcJFqDcriF6
- cNPi7A0RSO99uHIuw5aXgEbp25b0i6xMqw4QhzkKXK0DNZtF5LWJ6PGQPlLSCSuV
- hnRJXEzGVRuN+8o+tXquTBwhMwIyUIW/7iO9Xw5blSJ41+yezXQ6Gh/sw0o4ptuc
- 4D9yGqABhPTl3jq6ifGJUPdAf5l4kOebHBlNbeiTKLGZrohgU6wC+Xk0r0JCb0UH
- K6O7989i+lAnYEuQLJ3ULr8yDMLayrFHJN5jzXlcdoCiPwF/zlkYNBq1hVj8uZGW
- o1DMbXlVbT1sSmqRoAcp1uuUc5zCpSXImVKwM1x6mfEMsffjqItI/3+z0yg17pn0
- Dprun2HT+k/jwNJUH3YVcqgshkiBLSKyBXy5pn9G5wPdbpZRcXmV5fwhk63N9XV5
- Q7AiVxSEIBtka9IEWVAYE4djdavGBKZGGu5zB4T1aeBcOmr5V1NcDqwcOiufIVUg
- uDAZu7SJmF/VgqifaLsPnbHy+yxaEAWbtxFq/OfbyM0HO9oS4Mdnv5tjOFEyR3QV
- TW0DaOGtQ+OTBuFUn+W/bri9/t9nBy04v/8HdkPdtepnAIclk3wUtQ7RT2ABD6PM
- F7xpy8QfaHyI4bGakoiWh00gbgVtGF91TBb/eieHVbxThw==
- -----END CERTIFICATE-----
-profiles::roundcube::server_private_key: >
- ENC[PKCS7,MIIOHQYJKoZIhvcNAQcDoIIODjCCDgoCAQAxggEhMIIBHQIBADAFMAACAQEw
- DQYJKoZIhvcNAQEBBQAEggEASjY9sPrkG5kV3JDfDstvejhKj24Q2y/6eBjE
- qq5r44lK1IasWs9RXRNfjlTJnF93N53yV51jotpEOmUHW9gMGmDAG6xgoZRe
- jB5RnGi+uSMfDTXpJ6yhRV+s3cx+iI6M6hqPUV4BLrUtSphuMwnX+H5IZ7SI
- t26l0ejbrJt0KVPEbO0Be5pSvhecvseuYfHK8ki4KWrsOqOIPbNMBOlUevM2
- 0XOGBqY0IXmMcu4Sgi7q9CwgEjKbyEMa2IoqO82W9YKgAGQ6fzuPFtsJBxzL
- ozM7O509pVzThemWXBFlZKA8HT3w57VERuacWduRVhsXPY7ZX3Qm4U1kljqw
- Y4JctTCCDN4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEF7GaFooX40gewq8
- t3AZCiiAggywDvy18h6qIVtNy6S854Nwk8RLE2g20dWfxOEiSgzWkm/DNxCB
- Qje1rED+9eXoqWjRGw9fmAeZgY62jSnTbciqd6siNscO4c939d9slelnqca0
- +Ln/ZH+eGl6EBRN3cXsGrVYqAmn4Vgs3efWHi+kfvrDH7a+/y4C9K62qmN9q
- H/E7KYiKV1PVNNinBuyrdqS5+2oEzdwcCCFCxeYLFKuOGlv3Ka5qJvJXJgBz
- W0vItwxB7j8ID3BimyMafNj1Zs6mOqY4N+W3ToseS3VnYNF9vv1bc1TKeKcm
- bFZWj4/Bmqv0MAHcT0KWpP6mf0j9T3D/OX5/u6G9Dokxs0j/73MJcTrh8Gdc
- wNsjeyyH3lMoh7xuuY72r3D0n8UgsMTZEJt8QMt4gHYUOtIOEwEzpV0HzwFY
- lKOeTnNgS5m8scbT7hvq3PUS5zwplJOjBibkVU8IWeLy1WjpjF3LgmMoSre2
- IOrHf/QaJZliZMyYPztFVIFuj73fWmm7qFN0wGF4RcXcxuD2umGP661iMwPD
- T2NggmvV66mKyaAs23R01uav1C350sKuaCx9668Vp8XJvE57NS/s5DfTT9yc
- 4SjFIFS3T7A3SSqYTDeD90YzQz/f5tQwID35yoOqg+n5irdjH5W5pU+d9Hl2
- 85Rtlxp5mju8PTho8miC10GapYCP2Z1tV6+NQzcFiyOubsfLck0lopbQGnEW
- WJCeGvgFSkeDUJGfJc57Fb91/+Q3WnyPC1MWxiSm+0B6fnJmQiGCyEjII4oy
- izsHir4Jc++MIie3Z6SYykUybxz4eeUhy22CC0jvmxUvwxGrKflU65TNsmth
- 54Z0fAyUyEG0UZoOiKVcVhkvgvvFPAkNytZThdW1THsHX8X2P5+Y4TgwWUht
- A979wZDmtBv8RntNVnRmraOo+I1pvcvYzsgQKPb7grt0Bs2YgkYvyLfikYqQ
- +kZhiQpfp/OL/4xDwA5i/zua0W0VvaXnafgkk7UNtN2RFT2L2/WlsQaAbQG1
- E2fQuiNWe+oCP/yUk/01yeAmqspO9MTpKlVOW08JnHin1j3mtyryfD9DtlcM
- NKFZYKK7AIT1zWTWZYI96pNe2PQXqDvAXC0n3rnaq+xiF6TZwybLxAW/g1Cs
- TkcN/4fCDY4ohiJwFhVlDCb/tnowpoGJii/6d+cGPG8DVZb0pp2soaqM1lNY
- Yk/UEXlBq9Zp+X7ZozW91Ecb9dyOSae7s7A0wX6EATKsJXpINONHYy2mQQZA
- lo3NYt65BZNPENYboOYbWJHdLInA+3KK9On1qi7IFr2HSbBWLsf86IP6tyg+
- rn4+d9YEFRuaLhy1I60yhs7j2Vibq9fbzfSml5GKTcemEKK+77dTD1PPHMEB
- PKiK1uQvb84TofgVYzTw5MoC1jFCKjla9KaiwknO9f0qQ78YTxfBwS9AiFXB
- oKgH8YPT6eLJ8QBaNnb/4zfE9KGgSk1XXKsp2gIk7rKJUNnBPjOjBQVTqypd
- +Bk67yKwQl6o6JZmtZEbGr0o5nKaExKFTOZjvAQ4UyeHhctyM2C6ntZ2/0Vv
- 6rYfQJgJOhCP/zcMr/o5bUzYm4NQKE1q5BhQSxIMHEujpxl8aEiCNoi9SPGH
- ZNvrsIVPqXI/6r0uKOnykv2rrz04lPkEthimROYZbL5A8lT2fdQL6oCuSN7r
- 5lFlX6+JrjR8ITNZIlUvhtu5dgInD5IWkR5+W8AwiL3y/D6fR2duHGSvo+A4
- YkVJDwGrLgLOrRi/4ZZYOfuZAI8dbiW0Vh14So5Qy0TSu1dTfvJxxGSI852N
- sNCAm9Sy0nrN81VPwaAJsDS1osDciy8O+FYu+zMqO/WqozyQqFSA5qAhfPVu
- rhhomAhKYhXGQ2tnthjM3+hAlMQflIvPVwvgAEeUlp0O2rABGWJiAn6XmewO
- GPIySnd6x7Jmyk0cfwVZLpYMldtKQgR0BD13HXGLbDeSszFC/9GpHtUkZEQe
- nMLbLbQfV2/dK53R7LvRuGHoeEnY2P7ynZ0+y7bkXCq01ftBggzPwPPkVJK+
- nchRlTIacWPJvZ8sO3wbjTcVxJsBoTNsEGKxi6s7KCagNxMF5uFcPfHHW66e
- S5jQCKjSblM/DAcHEWTbqvAFUfLMVq3oJmvty9aiJe/FAQRKcTrGCx6JK2l3
- /4pIyPi7bdQfBO19OneOyrlee99ACfke626ZzJLPI6l3WmypnCRXzBkXFQ9P
- S7acAPAFdVaHZz/mHkjmv8cOPxnSJyh0nEi7zxS4nVqcKo3FXs+cyfhdTLt7
- aefx46XMzhF61ShVthPq86xDIZo1R38O3ArZpRMilvvTLTHWVEC0zcBZutKY
- QxB5dFQCNbNg0D7BI4W1pEdxKY+GQM/uC7nQsii5En/5Ht4nI5tmLqqvlmn5
- Uu8Qvw0tf2ekIVo7IurOIojFKKSdpK4ixML2NlUKWMCkeuvlqh/owSjKyZqS
- 0es64lkYiJlwvHrNXJSSiAXX2P3YPcP2YHv3nrwd/jiRodVYokLfrWOM1Ii7
- G10lYvUHy6OTRdZ7u/eaVN6Bwkoo4GRt8vXhMB/9xoPt21zo/bTXHgInMOni
- IXVH52IG89ZnrNH7aZ15XpzlhKfkuZkStO0EJBUX+409pzcUFLRSyy5lwdQz
- NcGcsFNiLqLJiCWSqI7A9tQBbJcSF/M8xsQUPzBtefGv2+gDFWq1MWhafUpr
- B9nw3r0tUh9BbBQNSnv/yb1ycgRWLMFLhQ7KJaqb6xoW40MxvRaB4vU8IAHr
- wiie+WOhyLZwdPAJABY63QN4SsTqPmVB+4o3pieuOnV2BNFMyNltEYhBdzMo
- 7Z4x6m8V7z9ZHLvEF5pTDMK30OKn8n7g7gYqHw7Kf4LHIWw2f6KSckW8a1ES
- EHDVTuprO4qEIEr08TD6noDS03x+W+8CNYw6Dn4tyDWiocwjH6AhcuNEx3Wr
- KFBR2vobH76poNkWf6GresQKxrde+K+BfDKmBcg4zwpGIW22JvZ5zkguK6/6
- cygWrhBOtbr2l4yi+NJlN7I38rxdgAa5sYG2azctSI0Cdf4oFxoGafnfRbzg
- f5cHDNkt4pJTxZX/wOp1FFE0dCJUoyPrm5miEuDwKlOx0Cby8QRSkP7nOtWp
- cK8jV6pyPcC2KuOioHT/u4I+VDA4aYXu56E6Hw1QSSn1p+eTZvTMQdzNbkpf
- Q93EabnZVuBeDd7Wa2vuoTUP8QudPteThtIOQst6EsF2TB+AynNHxNaPNvOh
- D97UUHMBtV/X6MscGViKuJoVZP8URZQvzzKN6BzpcXedSRXDb1+LshCeHJ36
- n8q6Blyuv2SJvPCBo174AjfJTur+mRtRLpiG0wc6jeWaOCfCHxzPOG4l11hh
- gmBe63rqe5tnLnsQmlGxODtiXOa83359kGbXk97/5mcLE8XCUHhOPiRaiyzO
- +uF3JpE2lokV+dvGm5T89s7oTN6Fe3oIV/nwubObQiXffOObfnyz59CbDz5m
- OhPdhG/44Pqxf4fkwmYFiQNek+OCvcy3dktkkM1x01c8V7Z+6Y67mMD0qfsP
- KSGarw1QICwuw1Z6KC/8CzjR2gI3cpGBNIo0rxIMwFqz9C5FVaLkhu7RhJSl
- Nx/baewx9C3V4ko3rOYK9R6zilgsgD35NKFBbtZVL4HVC2FRdUEWWpNc8YJC
- kmFpmbU8HXyBCJxgbsXJHm9BOXnS8FCSoxvFIaa1QM7Nupl08RMMVez5JAPE
- 1uO2Azm+hO2hh2TPLGWaVK40rZiqQF6E5JO9lAkfH7ouGjppWTNpBCH7FGGt
- f12BKYvG09EA33iu5Mdpmib/wPGs3Ml6BnvVgsGN1KLConR+9wQcSGejyWRq
- EvKYD91e+bvhFKZYuPDmN2McGmXk3vhz7JqF2csLN69JBsiF7CV1BFyE10aF
- bpWvFwjWxxlFb5zYWYwIdCIO96yvA+YJOKUVvoQfRjGLjI8awcoBySawtPdU
- SEOU14NLPqMmqD0IWcbvzWJF7kNZ0LhTMGJrD5vxx8uxdfAgoNa5DfQpWJsr
- fDgxJErQ2cCbzJry5mgc1aSzrDbYWPEQPrPuajXLA5D8tG+RZfUxV8caHyMr
- bCFFJjqPlA35Nu4nLAiGUzKVWOsyn6yj3V0ilLbnxNE+228L5+ilJ+9VL47U
- p2wdlrXzxo2QIvEj0o5K01HAwM3sa6Cjc6G5yP3CGvLVUa9FxNfO+5EX186V
- iyOu2RTt5M8hIaiVSrl/RDSPiAPaxN1y8akjAle/ySMJPGYQLQaj0Fpb7Ios
- yCdnmm5GDIi4jej5SpmnnI2LszdUMpRjQrXKC5jFwXXArMKc6Do9PHNR0zy0
- wtocG6a7vmje7zEjMuVJTq4=]
profiles::cacert_selfservice::admin_emails:
- jselzer@cacert.org
- jandd@cacert.org
@@ -344,3 +218,129 @@ profiles::cacert_selfservice::jwt_private_key: >
ieCxxZ4r+NiPvS3xnAE+q3P7z5R3OTVYZkmLCupzBtnqi8Ne/TdvmUBWDtw4
2v8bs97vfnguWiynjekfeZgjO28SWiJYwLFuQUtV+kvYl9baPpORFTfuI3Rs
dCF8snPWlLs3m+PXsz2HoiGe0s2tBKM=]
+profiles::x509cert_common::certificates:
+ 'webmail.cacert.org':
+ certificate: |
+ -----BEGIN CERTIFICATE-----
+ MIIGdDCCBFygAwIBAgIDAuN8MA0GCSqGSIb3DQEBCwUAMFQxFDASBgNVBAoTC0NB
+ Y2VydCBJbmMuMR4wHAYDVQQLExVodHRwOi8vd3d3LkNBY2VydC5vcmcxHDAaBgNV
+ BAMTE0NBY2VydCBDbGFzcyAzIFJvb3QwHhcNMjAwNjA2MTExMDQxWhcNMjIwNjA2
+ MTExMDQxWjBfMQswCQYDVQQGEwJBVTEMMAoGA1UECBMDTlNXMQ8wDQYDVQQHEwZT
+ eWRuZXkxFDASBgNVBAoTC0NBY2VydCBJbmMuMRswGQYDVQQDExJ3ZWJtYWlsLmNh
+ Y2VydC5vcmcwggIiMA0GCSqGSIb3DQEBAQUAA4ICDwAwggIKAoICAQCspKMHnd/Y
+ xvVqB7B/3bXfg7nReRR6WsP0xFzharKLkymoh3cMoFZU6gW/AyLPq2wicjJPtEUi
+ /pRYHYuNyOwo3rUEcHaWS77gkvbU8hMVNDfOff1qcrvi9UN1+agKDUp+moe0uGL7
+ nJw0cXH/tG6e1q7v7WWgqij0soBu8RJw3mTX9Z+8cvXba62qkF/AqN3nQKSuxviv
+ nyOXlz0xy97C6XSK2va1V3k3dgV7DYtyASUbqw00JetL1pwkUC5KE4J5aWmkLrSm
+ u9ZR0wRTOPmk3/j1YjgLg6d+ATwAXrNJIOR/dvMQIs0k1+haXhDBpNPAQLdN3yqD
+ /QSnpiIJ0mPdn+Ofbm6FfZYu+jYZE8WwrUVUdYp3Xn5z/XaMLcLP7hnPaiY/AyT5
+ Ah4iLYtrdLHvTJXNZRPjS0CoaV3vZGNtlLdZhE6SDiuDfIac9eSQh7CkLp25d1/C
+ K6pKDmHr1Er22tz+2zrXchVqY7hfHOHgNvLlQbYRS2eTQAah1o9tn1uivP0kb48c
+ VPBeiOrFz2LpjSF83N3k0fV10PHjrfzvcWlvr+JiQ+MlHBNlcCgNgg6OpRLDoqFe
+ tjDOXyVBfGH0qBi1s6gAJr4Zt3q7YlhEKKQ8mjhECr8e58inzrTBxxiAzYrfpYxV
+ q4ZWdYq4cw+JInRId2TCQyYNTX1HHkUw5QIDAQABo4IBQjCCAT4wDAYDVR0TAQH/
+ BAIwADAOBgNVHQ8BAf8EBAMCA6gwNAYDVR0lBC0wKwYIKwYBBQUHAwIGCCsGAQUF
+ BwMBBglghkgBhvhCBAEGCisGAQQBgjcKAwMwMwYIKwYBBQUHAQEEJzAlMCMGCCsG
+ AQUFBzABhhdodHRwOi8vb2NzcC5jYWNlcnQub3JnLzA4BgNVHR8EMTAvMC2gK6Ap
+ hidodHRwOi8vY3JsLmNhY2VydC5vcmcvY2xhc3MzLXJldm9rZS5jcmwweQYDVR0R
+ BHIwcIISd2VibWFpbC5jYWNlcnQub3JnoCAGCCsGAQUFBwgFoBQMEndlYm1haWwu
+ Y2FjZXJ0Lm9yZ4IUY29tbXVuaXR5LmNhY2VydC5vcmegIgYIKwYBBQUHCAWgFgwU
+ Y29tbXVuaXR5LmNhY2VydC5vcmcwDQYJKoZIhvcNAQELBQADggIBAAStZDsACPPf
+ /4NhO2O8ANSAOH6hIHFaxEbB4+aEY7an7rB/84Dis6O8xfh/K9Z+M9uob/jIfhEd
+ 2bJdufSDbp3OkrhQj9/Acz2o0xettiFgJAh0SNf8/dH9U1cqRPCK3dNna6z8vOJJ
+ XJJlyzTVli3N4AZOycmD3XNpC3INiEFOFRwfJLR7I4Nlv8YylmSc+BpnYlYQOWii
+ TXfNWcmojuW/JHJT0xmMz0gpJOCbvjrd0MHVj8ygEP2u9a7kHMAE7o1Wc/P2KsqA
+ +l1011KpjVNhO4Lln54ziWQ2F2x/R1dHNk5WrV9Y4J06drx1/UDR7QyLQ99II4YV
+ qC+C/DYkwOzvBrWOWpoOov3PmrDEpsbVoWvIDyb0+G7xgm6nGSexaGbVxmXj07/o
+ 7cW81GwohK29n6MXtVFcILAOHl5xyRH4f0PqRYx9WAu+pxpH8E423dnMpTNurkYS
+ e5yNfo4tL+Fl91RcanwcVA0lFff07GsfFQn1ksgIMFvEVsVaK8OYHiOIgfr1eLUW
+ DsCt63P8dEQf38vKlWD2XO7yD1jgjBOsFFbb/Eq8fGx8KiCGknNPZ2y2F4rhHew5
+ od2HHMh61oL7n90kHdheFiPPwf8MtDb89yhPLPEKSLmVYB0NjhygOERwgZvix6Rm
+ 49YgOhuoXJwGGiBI222zx/q/k6eI0wpB
+ -----END CERTIFICATE-----
+ private_key: >
+ ENC[PKCS7,MIIOPQYJKoZIhvcNAQcDoIIOLjCCDioCAQAxggEhMIIBHQIBADAFMAACAQEw
+ DQYJKoZIhvcNAQEBBQAEggEAAFP97Lsk2e1NpEboNySYhvkrOxljrOvYaeXX
+ IHG3BzBCeklXkAEONdvlwQQB87UnpAOuZPbJWJpMfsjQtTjYQkBJFhKMnITU
+ pIVsM1K9Dx7+J+6+aLFkb7gjH2sL0lx4mRZ14svhbWYKK6XcRIPpYUb8uBv+
+ JCpJtmq43xcVLuvH5rKcZ6OGdPxqH4G+h8TjGHn9Mt+rSm7THLgA5cUJQj62
+ jNQRNK45jIFi9k/oGhua9qY/NmzQwGKN1x/iYNNfJi6bnEZCYkpfUlnYxXIM
+ UZmlaNTsmA4o7XF/GyyQoKXbhHlJT7FY4Yw2JHcIwWlWdmkHgPGvVo1ytl2j
+ 5XZ7kTCCDP4GCSqGSIb3DQEHATAdBglghkgBZQMEASoEEBT1yZbLyK9t9RIO
+ lA+KO2yAggzQMXM3oZngv+CoywSdCiCYfu1VUIJyQVKq6DCWEQggjvKiiBSh
+ +GPr447MSBTOjg8fao2XNAPnzZYiy0IDGce0o2xvxiRJyV+HIg1V5PUAjuUH
+ oVw4SVa61THDc2k4kFq1Q9rdaADPrScUFz9LL5dZHPYem6tG+RLIeGqef/lx
+ wlBEUZp25TIWzuiEIhhvGgjbmxBm7JYOf0d5mMnGdHxTTsnT5SbybbrdLqKE
+ V5xF12hmvaflgzK1yNS3tiAGAmYpAMbYi4rxuu1nIyq55arS95ES+RwcKY0d
+ Z3T3iELkGTWLsoYJ1RsXIQY6SwJ1/SUntgplG3pYrsSzww6dg/JxIuXmbrbT
+ Y/xwWQmkgkcV/PBFZXhSDAoZ47V6h95w7Z6pGbAN1kMfwOaSCrysnHbypMl6
+ vMDYzuN647urE5A1Ec41Nhs/Ky9VADh31dGZs7F3UtfyiHA/xul5T8HmuHiV
+ eLP1q5vksLAyCNXr9FkK35Wv9YekEBVXv9tEmKfLFjq4v0coiHBxHkCaPqid
+ /wmm5C79RzEWpbVnJtflRkOKpSIVAsY+PT9PwQERDkuAX9/ww8FWUD5470FR
+ +qEjOzpnGuxUij7g069U2tdl1dBQP137LZiixEpCgmCgD5gO2UIkj99gvPE6
+ w1yIUQgi4gf9+O/obfnrqjfWly+iYs2DXz1YM6k2s61mkqtGk4aC2uCvXPIx
+ LZTeoelatGpSNN7LG1CHnStnTNHy90Pp3c4XBcsGw4mq/8jMq+f24cZx3sOp
+ izRAXP02J0wv0YVla0gHQtuv3V/PVLHUVoIPXkPRVrOop5/9cCW0+4zsOBcq
+ cBmfp9qTHDQBcTzeZCqg3VyTicS2vsJLCXvq639AmmjWFTzeUhnQrQAfCsQT
+ gsK5W0sfvg+oo+95sFb4SSVx7zo4XaQrFtXAcSJjL0H+tyIQ09l/VFAxwBCm
+ VN0DREvHwGr0RWdehpqWA6Dq3+FVBot8iAD7GmamqneamS6o6fNJ9s7lFRAD
+ TOGz6g7MC35afrXsP3maceBMzO75qZDe2hvsQBE3zoJrVqPmV8xZVE2BTlPI
+ AZveyKdj3lmngzn3BmJd2xRWFY5UYliGK8toZgOxkfx6ye5umYZbEjhvHgQK
+ CkeO0FSEQzf64Y0kdA0av8zKKQ65uGYfUx7J6yrpVH+sOX4JRSLsxQLIK9uS
+ QXg48MGB3kyUDQN1b+H17eO1nUykUlgXJEUPrQtzXynKZfNRUdXtG6XtzN1T
+ ueAQW019KlHzH/s1mLZdZflXxUn4Pe4cKF3NAVAL1y1sYoeA5SsejfY0BPh4
+ m2vC0KU0YTE11GrbK9ZQNrAjZ+1bwLiZdSIAhO2D+qot+5m6KRmiXQGyyPPc
+ dnwvsdXwL4vcIsVhw3UfJsgSVcKoAkkX06+tpPrB6o+rrr15wdzR/A2ENEZ1
+ DIQBE9dqY92V6gJzJbVrUG0rSyg6pwHEXQRlkveeMW78fNUHM/sQurCQRIJh
+ fFgcqA3WuObGujRF9F9rVRpeivuZmmRkjHen4YvXcw6fs9bmsqenvRZsHI9b
+ DhfkpQ9AtUYGxpUEdsFDqPXbqiuRVQEx0KOj3M73RdTgC9I+jzD39A+NLjw5
+ SOqjMI40TZd1hiO2Ho4PBaCO+b1fnooLE7PuzvzkAyaCA2Zkv70rPs+rmZbl
+ 10sgzrvdURld9jziiBAMfdv7Mtr1IA/gFqApDXszDOpLUckadJhdFUre9u6a
+ nP79kbUpOSnpfq9oOU822mgAzOAql9EUIONrHOTOdxa63qDkdvrRGa/dUlkI
+ W+/4fc2hDQVmtQaY0iAhaSj4PZAs7FhEzBm23k87jePE4Xx9a0Jo3XhXYFZJ
+ qq8BTIcUg06A6u1CsZmL64Jt4Y+TwVSGhTdsAS3jLM/dXX9c9/R0gUf82nzT
+ /CMu4J3wNZuv9J4uHbHc8HUWhI/tw/m+jVSoFrVbvjimIpWJQ+SmlFkbzEbK
+ 6XiDQE8SBpCQIvtZAJG/H72sbGcfAbtTJX/5OAb6wREd4HmOvxmXy6HI0a0F
+ 52wA8KklL41+JFnExuZQj1d8Fi4WmAy0mgTFD13nim4CitIDXduOap2sRB5w
+ 5okm7Pr86NdSKW/PfCtYxpK/JADD/o7YlOtBi5blvuoXtzWT25XK+BvqP3c3
+ yBFbUNTBzzsdNlahl+iaPk+qiDlu4aw0sDuDeHYYVK13c1+PBf6QziAVedJp
+ 22DaCE0B1KD/YCcaG120WyCBJxppuIFTFCNmhrHt3N93kGWJrUduYwoG4uwc
+ gkk1LJKANG9S46sxPSuAvGkdb1GtxVInziVR4VnntsnP0vdYRjU1iQHs3zI/
+ a4915U0enmmOA2+UyPUBhWpUO+XTPeHZ/5Z8Uw6Ip8bZ8eTnz80c840OrwZe
+ ni5QWTDvfVQbMW0ULBtPIgh9WCs6Df7pc6KxwLG+c9mgx9cKZtcAkm4OX+KL
+ mtLkHmSNXlDAd56ozLv06xoyZWNpFIAcz1yeLbNyMv3H4jOZcP9teaa5TJBN
+ 5P/k7C9cTs1Ifsn/Oi8/RTaiOIFs68VTjZ4vrZikftC3sHy7Q+vzcYEolX7x
+ fzkPrXuyhFr/x3OTRItTml1TzccgXMylo1VhOMKPZ9sk9mUskwLnOXzdXLa4
+ tZ2HG0qAgiqxM3L8kVkpcmyPSfbYVP8lRYYZd0rSMZ/HOGvO9ByfzPSyGG+K
+ e5XBDlVaTN4CImBtYEYxqNLy683ft6Ii4D8/VcXb6AQNWkjK1MCkgkVVNfil
+ i/j+lrpG6xo7gEpbaxWMyJAyzUN3V28Wxlb9yDJI8mAMO9sMqNmOFcpf4sis
+ RiBcYy5tr3RkQ+tCAUXMlMG0QNv9sWnmrIffzpLRakLBFhaMtFtUbpFYBoLx
+ cOTHyaauA/eI1RLmTNA8r0Z9gYrKQn3rzISg/XkrM6oKR6u2bYjWIJDuvIn6
+ Adi/UiulwZfFF8ykCHgHRIGXZo1N8eM1M1+WG8gX6IZGhMnJd/l1GoCSbbTR
+ BcXJwW6QgbiqdN//YyZq3TlqLCMSP87yjlNlr7YaFq5vHTq7B7c9jrEMMlFG
+ Rc+y89rtC/WY/AoT/Txk5K4I6IMyGK0fHt4rjiHTY3eg5FKF2CVZ3x93TRUZ
+ wWKe9GMyNqwpm9IOc32OJUn4Fc4Y7R4ycYeSnTXA1AelDLpy6KauMu2nYlxa
+ k8UTQ4a8ln/soyMXbFk5V9Q469SzL0q49LrVIh9D3PZa6xygNW3wpdH0gWc2
+ amA5C9VMo/E//Skw9tIfhHTiEwnvcS96ywHmG1ONjp37clrDu3xtbECzZhSH
+ LTmUZa1Ky9nBPWADkQsWW3k4jP1np2lIZWut/Li8h+3k611ER0C1rKxYQp7V
+ MqywvQ4lwy294vLJ/kuGehM3YigE6iXev3uCmJjTxLc7+hzK/ttZCRv2qHSl
+ oP2qkjvn5nqfNugPoY+kFQyBPT0R5kTh7y9w94Lfdc9TrhEHMmYx4FcvncDs
+ 5MJq0FoDyoM02rt12ukDnCmJvB6yC6mccNgGPVFCEIWovif8UJ5Njzxk6y7j
+ 1rUuHYbFe2uNVpYpDBR4L/aipQBpM5ZX1SdYL/vRF3K7A+N308m27fgCrzeA
+ vBP7Aup30lVrgz1ghlfMqvK5YbTFTAg2RlrGNkfQ44hpDnKD4qrqGrVHBUVP
+ dbxoyOFTncziUFOGaI8acWaWfOlG5APDdOK3MxYnqTvknIE/HHHRQlKu8OIW
+ EB80NJrkCCNP1S1PavQFAHN83lsb35H4tUcIABriaxYLGN3ztg2Q5HdFReWR
+ HidmefJqIYAktXadwxC95N8QeRjtOJiPesUpAo/Eu5pW3RFhnfm6HIOWuo41
+ RDZxtJnB+0FLfOzv2g9RptpqBzI76Iag5fL6dBolDguyoym2crKerasFHw5t
+ vmv73eY3bddxZGHYvdQHpvRlJUOivxEdvbe8o180f2UUCDSk1Wt7BxyqJA59
+ ggE2nGyN2kws03wsPe7BOX6G41zMFpFapQgtgjLazXP2goqmD9nAqTxlXd6S
+ LVq9vjynFdAkpP+wpeM1Czcd2rfK0RMfwbljFKyc5U3qDnmAgEG3PSgpdGUB
+ H8fmcNBtPR5PufP17saFediTheNoSalep1Bw5HarVwS993uh75TdzHjEUG16
+ DljUpTuPllDPYhdiJ6DErFtT6u0htD/KD38HW2CtzRzzWvxiq79UhZ7eSe9P
+ TVy6KgmeXh++KXdXv0GuzUH82s+/Au8ol64OMPr5K+AJDfnVRdnz8VoHJ/pj
+ 1t0kguha+CPDAQ2qHTeJXHZn4KCvY824Omoj2SJABAapqjC8ScMbcgbrnVbv
+ cfglOMVHgFpYDHCNe9MhivEVuplMu2E9MCVQDuWHGRoKqKILaMN2dd+JFbFJ
+ rLMMxw==]
+ cacerts:
+ - class3_X0E
+ - class1_X0F
diff --git a/sitemodules/profiles/manifests/roundcube.pp b/sitemodules/profiles/manifests/roundcube.pp
index a32b0ca..ffc1ea8 100644
--- a/sitemodules/profiles/manifests/roundcube.pp
+++ b/sitemodules/profiles/manifests/roundcube.pp
@@ -6,6 +6,8 @@
# Parameters
# ----------
#
+# @param additional_names Additional host names for the Apache VirtualHost
+#
# @param des_key Key to encrypt the the client cookies, must be
# exactly 24 characters long
#
@@ -24,10 +26,6 @@
#
# @param mail_debug php boolean string used to toggle mail debugging
#
-# @param server_certificate PEM encoded X.509 server certificate
-#
-# @param server_private_key PEM encoded unencrypted RSA private key
-#
# Examples
# --------
#
@@ -48,15 +46,15 @@
class profiles::roundcube (
String $des_key,
String $master_password,
- String $server_certificate,
- String $server_private_key,
String $email_host = 'email.cacert.org',
String $email_host_ip = '10.0.0.19',
String $mail_domain = 'cacert.org',
String $mail_debug = 'false',
- String $external_name = 'community.cacert.org',
+ String $external_name = 'webmail.cacert.org',
+ Array[String] $additional_names = ['community.cacert.org'],
) {
include profiles::cacert_debrepo
+ include profiles::x509cert_common
package { 'mariadb-server':
ensure => latest,
@@ -194,6 +192,8 @@ class profiles::roundcube (
require => Archive[$twofactor_gauthenticator_archive],
}
+ # These certificates should be removed when the switch to x509cert_common
+ # has been applied
file { '/etc/apache2/ssl':
ensure => directory,
owner => 'root',
@@ -218,22 +218,22 @@ class profiles::roundcube (
$apache_ssl_cert = "/etc/apache2/ssl/certs/${external_name}.crt.pem"
$apache_ssl_key = "/etc/apache2/ssl/private/${external_name}.key.pem"
- file { $apache_ssl_cert:
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0644',
- content => $server_certificate,
- require => File['/etc/apache2/ssl/certs'],
- }
- file { $apache_ssl_key:
- ensure => file,
- owner => 'root',
- group => 'root',
- mode => '0640',
- content => $server_private_key,
- require => File['/etc/apache2/ssl/private'],
- }
+ #file { $apache_ssl_cert:
+ # ensure => file,
+ # owner => 'root',
+ # group => 'root',
+ # mode => '0644',
+ # content => $server_certificate,
+ # require => File['/etc/apache2/ssl/certs'],
+ #}
+ #file { $apache_ssl_key:
+ # ensure => file,
+ # owner => 'root',
+ # group => 'root',
+ # mode => '0640',
+ # content => $server_private_key,
+ # require => File['/etc/apache2/ssl/private'],
+ #}
class { 'apache':
default_vhost => false,
@@ -271,15 +271,25 @@ class profiles::roundcube (
error_log => true,
protocols => ['h2', 'http/1.1'],
serveradmin => 'webmail-admin@cacert.org',
+ serveraliases => $additional_names,
ssl => true,
- ssl_cert => $apache_ssl_cert,
- ssl_key => $apache_ssl_key,
+ ssl_cert => "/etc/ssl/public/${external_name}.chain.pem",
+ ssl_key => "/etc/ssl/private/${external_name}.key.pem",
ssl_ca => $cacert_cert_bundle,
ssl_verify_client => 'optional',
ssl_verify_depth => 2,
ssl_options => ['+StdEnvVars'],
ssl_protocol => 'all -SSLv3 -TLSv1 -TLSv1.1',
- ssl_cipher => 'ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384',
+ ssl_cipher => join([
+ 'ECDHE-ECDSA-AES128-GCM-SHA256',
+ 'ECDHE-RSA-AES128-GCM-SHA256',
+ 'ECDHE-ECDSA-AES256-GCM-SHA384',
+ 'ECDHE-RSA-AES256-GCM-SHA384',
+ 'ECDHE-ECDSA-CHACHA20-POLY1305',
+ 'ECDHE-RSA-CHACHA20-POLY1305',
+ 'DHE-RSA-AES128-GCM-SHA256',
+ 'DHE-RSA-AES256-GCM-SHA384',
+ ], ':'),
ssl_honorcipherorder => 'on',
ssl_stapling => true,
directories => [
@@ -292,6 +302,7 @@ class profiles::roundcube (
redirect_dest => [
'https://selfservice.cacert.org/password-reset', 'https://selfservice.cacert.org/staff'],
redirect_status => ['permanent', 'permanent'],
+ # rewrites can be removed when DNS is changed
rewrites => [
{
rewrite_cond => ['%{REQUEST_URI} ^/board/motions.php', '%{QUERY_STRING} motion=(.*)$'],