From: Jan Dittberner <jandd@cacert.org>
Date: Sun, 15 Apr 2018 09:58:44 +0000 (+0200)
Subject: Setup hourly cron job to update CRLs
X-Git-Url: https://git.cacert.org/gitweb/?p=cacert-puppet.git;a=commitdiff_plain;h=0506e6e014994cd8dd89732921846b3d24688baa

Setup hourly cron job to update CRLs
---

diff --git a/sitemodules/profiles/files/base/update-crls b/sitemodules/profiles/files/base/update-crls
new file mode 100755
index 0000000..6c1e8d2
--- /dev/null
+++ b/sitemodules/profiles/files/base/update-crls
@@ -0,0 +1,25 @@
+#!/bin/sh
+
+set -e
+
+CRL_PATH='/var/local/ssl/crls/'
+CA_CERT='/etc/ssl/certs/ca-certificates.crt'
+RSYNC_LOCATION='crl.cacert.org::crl'
+
+rsync -aqz "$RSYNC_LOCATION" "$CRL_PATH"
+
+for crl in "$CRL_PATH"*.crl
+do
+	if openssl crl -noout -inform DER -in "$crl" -CAfile "$CA_CERT" 2>/dev/null
+	then
+		openssl crl -inform DER -in "$crl" -out "$crl".pem
+	else
+		echo "Error: Could not validate the CRL at $crl" >&2
+	fi
+done
+
+c_rehash "$CRL_PATH" 2>/dev/null >&2
+
+service apache2 reload > /dev/null
+
+exit 0
diff --git a/sitemodules/profiles/manifests/base.pp b/sitemodules/profiles/manifests/base.pp
index edead76..48afaac 100644
--- a/sitemodules/profiles/manifests/base.pp
+++ b/sitemodules/profiles/manifests/base.pp
@@ -179,4 +179,24 @@ class profiles::base (
     ensure    => present,
     recipient => $rootalias,
   }
+
+  package { ['ca-certificates', 'ca-cacert']:
+    ensure => installed,
+  }
+
+  file { '/var/local/ssl/crls':
+    ensure => directory,
+    owner  => 'root',
+    group  => 'root',
+    mode   => '0755',
+  }
+
+  file { '/etc/cron.hourly/update-crls':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    source  => 'puppet:///modules/profiles/base/update-crls',
+    require => [Package['ca-certificates'], Package['ca-cacert'], File['/var/local/ssl/crls']],
+  }
 }