Only setup CRL cron job if needed

The CRL job is only needed if client certificates have to be verified. This
commit adds parameters to the base profile to take care of conditional
installation of the update-crls job and customizes the job based on a
configurable list of services that need to be reloaded after CRL updates.

1 files changed, 30 insertions, 0 deletions

diff --git a/sitemodules/profiles/templates/base/update-crls.epp b/sitemodules/profiles/templates/base/update-crls.epp
new file mode 100755
index 0000000..65bc7e8
--- /dev/null
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -0,0 +1,30 @@
+<% | Array[String] $services | %>
+#!/bin/sh
+
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+	if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+	then
+		openssl crl -inform DER -in "$crl" -out "$crl".pem
+	else
+		echo "Error: Could not validate the CRL at $crl" >&2
+	fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+<% $services.each |$service| { -%>
+service <%= $service %> reload > /dev/null
+<% } %>
+
+exit 0