summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/manifests
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2021-04-25 12:50:47 +0200
committerJan Dittberner <jandd@cacert.org>2021-04-25 12:50:47 +0200
commitc7d1fe41d60f623053d6b69280e9b4b188357651 (patch)
tree9cbc08c2e0d93046e6e0fb7292d4d807c2b5665f /sitemodules/profiles/manifests
parent72fc7353e13b33dbe876a47dcb5c34d7b1fefd3f (diff)
downloadcacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.tar.gz
cacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.tar.xz
cacert-puppet-c7d1fe41d60f623053d6b69280e9b4b188357651.zip
Add client certificate CA support to x509cert_common
This is a refactoring to move support for client certificate CA chain definition to the x509cert_common manifest. The idea is that certificate chain management is centralized in that module. Community is the first system that is modified to use the new mechanism for the Roundcube webmail system at webmail.cacert.org.
Diffstat (limited to 'sitemodules/profiles/manifests')
-rw-r--r--sitemodules/profiles/manifests/roundcube.pp64
-rw-r--r--sitemodules/profiles/manifests/x509cert_common.pp30
2 files changed, 30 insertions, 64 deletions
diff --git a/sitemodules/profiles/manifests/roundcube.pp b/sitemodules/profiles/manifests/roundcube.pp
index c5e7988..ae7c031 100644
--- a/sitemodules/profiles/manifests/roundcube.pp
+++ b/sitemodules/profiles/manifests/roundcube.pp
@@ -73,6 +73,8 @@ class profiles::roundcube (
ensure => latest,
}
+ $cacert_cert_bundle = "/etc/ssl/public/${external_name}_client_cas.pem"
+
host { $email_host:
ensure => 'present',
ip => $email_host_ip,
@@ -80,25 +82,6 @@ class profiles::roundcube (
target => '/etc/hosts',
}
- $cacert_cert_bundle = '/etc/ssl/certs/cacert.org.pem'
-
- concat { $cacert_cert_bundle:
- ensure => present,
- owner => 'root',
- group => 'root',
- mode => '0644',
- }
- concat::fragment { 'bundle-cacert-class3-ca':
- order => 10,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class3_2021.crt',
- }
- concat::fragment { 'bundle-cacert-class1-ca':
- order => 20,
- target => $cacert_cert_bundle,
- source => 'puppet:///modules/profiles/base/cacert_class1_X0F.crt',
- }
-
file { '/etc/roundcube/config.inc.php':
ensure => file,
owner => 'root',
@@ -192,48 +175,11 @@ class profiles::roundcube (
require => Archive[$twofactor_gauthenticator_archive],
}
- # These certificates should be removed when the switch to x509cert_common
- # has been applied
+ # This directory should be removed after the switch to x509cert_common has
+ # been applied
file { '/etc/apache2/ssl':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
+ ensure => absent,
}
- file { '/etc/apache2/ssl/certs':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0755',
- require => File['/etc/apache2/ssl'],
- }
- file { '/etc/apache2/ssl/private':
- ensure => directory,
- owner => 'root',
- group => 'root',
- mode => '0750',
- require => File['/etc/apache2/ssl'],
- }
-
- $apache_ssl_cert = "/etc/apache2/ssl/certs/${external_name}.crt.pem"
- $apache_ssl_key = "/etc/apache2/ssl/private/${external_name}.key.pem"
-
- #file { $apache_ssl_cert:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0644',
- # content => $server_certificate,
- # require => File['/etc/apache2/ssl/certs'],
- #}
- #file { $apache_ssl_key:
- # ensure => file,
- # owner => 'root',
- # group => 'root',
- # mode => '0640',
- # content => $server_private_key,
- # require => File['/etc/apache2/ssl/private'],
- #}
class { 'apache':
default_vhost => false,
diff --git a/sitemodules/profiles/manifests/x509cert_common.pp b/sitemodules/profiles/manifests/x509cert_common.pp
index bdc1a33..d784b49 100644
--- a/sitemodules/profiles/manifests/x509cert_common.pp
+++ b/sitemodules/profiles/manifests/x509cert_common.pp
@@ -10,10 +10,12 @@
# @param certificates Hash data structure with certificate names as key and
# certificate information as value the individual
# entries are expected to have certificate, private_key
-# and cachain entries with PEM encoded data. Private
-# keys have to be encrypted using eyaml. The cachain
-# entry should contain an array of CA certificate
-# identifiers.
+# and cachain and client_ca_certificates entries with
+# PEM encoded data. Private keys have to be encrypted
+# using eyaml. The cachain entry should contain an array
+# of CA certificate identifiers. The
+# client_ca_certificates entry should contain an array
+# of CA certificate identifiers.
#
# Examples
# --------
@@ -31,7 +33,7 @@
# Copyright
# ---------
#
-# Copyright 2020 Jan Dittberner
+# Copyright 2020-2021 Jan Dittberner
class profiles::x509cert_common (
Hash[String, Data] $certificates,
) {
@@ -84,5 +86,23 @@ class profiles::x509cert_common (
source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
}
}
+
+ if 'client_ca_certificates' in $cert_info {
+ $client_ca_certificates = "/etc/ssl/public/${name}_client_cas.pem"
+ concat { $client_ca_certificates:
+ ensure => present,
+ owner => 'root',
+ group => 'root',
+ mode => '0644',
+ }
+ $cert_info['client_ca_certificates'].each |$index, $ca_cert| {
+ $order = 10 + $index
+ concat::fragment { "${name}-client-${ca_cert}":
+ order => $order,
+ target => $client_ca_certificates,
+ source => "puppet:///modules/profiles/base/cacert_${ca_cert}.crt",
+ }
+ }
+ }
}
}