Setup hourly cron job to update CRLs
authorJan Dittberner <jandd@cacert.org>
Sun, 15 Apr 2018 09:58:44 +0000 (11:58 +0200)
committerJan Dittberner <jandd@cacert.org>
Sun, 15 Apr 2018 09:58:44 +0000 (11:58 +0200)
sitemodules/profiles/files/base/update-crls [new file with mode: 0755]
sitemodules/profiles/manifests/base.pp

diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/files/base/update-crls
new file mode 100755 (executable)
index 0000000..6c1e8d2
--- /dev/null
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+       if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+       then
+               openssl crl -inform DER -in "$crl" -out "$crl".pem
+       else
+               echo "Error: Could not validate the CRL at $crl" >&2
+       fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+
+service apache2 reload > /dev/null
+
+exit 0
index edead76..48afaac 100644 (file)
@@ -179,4 +179,24 @@ class profiles::base (
     ensure    => present,
     recipient => $rootalias,
   }
     ensure    => present,
     recipient => $rootalias,
   }
+
+  package { ['ca-certificates', 'ca-cacert']:
+    ensure => installed,
+  }
+
+  file { '/var/local/ssl/crls':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/cron.hourly/update-crls':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    source  => 'puppet:///modules/profiles/base/update-crls',
+    require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+  }
 }
 }