summaryrefslogtreecommitdiff
path: root/sitemodules/profiles/templates
diff options
context:
space:
mode:
authorJan Dittberner <jandd@cacert.org>2018-04-15 12:29:28 +0200
committerJan Dittberner <jandd@cacert.org>2018-04-15 12:29:28 +0200
commit1486b793d25f8ff536b04541226c2c1afbef143c (patch)
tree9929253ec270fabb2c2ff4a555a73cfc2d7e0829 /sitemodules/profiles/templates
parent0895ed3353006b5909e6ec78079b6d1ac0dd59b3 (diff)
downloadcacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.tar.gz
cacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.tar.xz
cacert-puppet-1486b793d25f8ff536b04541226c2c1afbef143c.zip
Only setup CRL cron job if needed
The CRL job is only needed if client certificates have to be verified. This commit adds parameters to the base profile to take care of conditional installation of the update-crls job and customizes the job based on a configurable list of services that need to be reloaded after CRL updates.
Diffstat (limited to 'sitemodules/profiles/templates')
-rw-r--r--sitemodules/profiles/templates/base/apt_sources.list.epp2
-rwxr-xr-xsitemodules/profiles/templates/base/update-crls.epp30
2 files changed, 31 insertions, 1 deletions
diff --git a/sitemodules/profiles/templates/base/apt_sources.list.epp b/sitemodules/profiles/templates/base/apt_sources.list.epp
index ecc8cde..8709862 100644
--- a/sitemodules/profiles/templates/base/apt_sources.list.epp
+++ b/sitemodules/profiles/templates/base/apt_sources.list.epp
@@ -1,4 +1,4 @@
-<%- | String $oscodename = "" |-%>
+<%- | String $oscodename = "" | -%>
# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
# NEXT PUPPET RUN.
deb http://ftp.nl.debian.org/debian <%= $oscodename %> main
diff --git a/sitemodules/profiles/templates/base/update-crls.epp b/sitemodules/profiles/templates/base/update-crls.epp
new file mode 100755
index 0000000..65bc7e8
--- /dev/null
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -0,0 +1,30 @@
+<% | Array[String] $services | %>
+#!/bin/sh
+
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+ if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+ then
+ openssl crl -inform DER -in "$crl" -out "$crl".pem
+ else
+ echo "Error: Could not validate the CRL at $crl" >&2
+ fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+<% $services.each |$service| { -%>
+service <%= $service %> reload > /dev/null
+<% } %>
+
+exit 0