From 1486b793d25f8ff536b04541226c2c1afbef143c Mon Sep 17 00:00:00 2001
From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 15 Apr 2018 12:29:28 +0200
Subject: Only setup CRL cron job if needed

The CRL job is only needed if client certificates have to be verified. This
commit adds parameters to the base profile to take care of conditional
installation of the update-crls job and customizes the job based on a
configurable list of services that need to be reloaded after CRL updates.
---
 .../profiles/templates/base/update-crls.epp        | 30 ++++++++++++++++++++++
 1 file changed, 30 insertions(+)
 create mode 100755 sitemodules/profiles/templates/base/update-crls.epp

(limited to 'sitemodules/profiles/templates/base/update-crls.epp')

diff --git a/sitemodules/profiles/templates/base/update-crls.epp b/sitemodules/profiles/templates/base/update-crls.epp
new file mode 100755
index 0000000..65bc7e8
--- /dev/null
+++ b/sitemodules/profiles/templates/base/update-crls.epp
@@ -0,0 +1,30 @@
+<% | Array[String] $services | %>
+#!/bin/sh
+
+# THIS FILE IS MANAGED BY PUPPET, MANUAL CHANGES WILL BE OVERWRITTEN AT THE
+# NEXT PUPPET RUN.
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+	if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+	then
+		openssl crl -inform DER -in "$crl" -out "$crl".pem
+	else
+		echo "Error: Could not validate the CRL at $crl" >&2
+	fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+<% $services.each |$service| { -%>
+service <%= $service %> reload > /dev/null
+<% } %>
+
+exit 0
-- 
cgit v1.2.1