Puppet Class: sslcert::ca_deselect_dstx3
- Defined in:
- modules/sslcert/manifests/ca_deselect_dstx3.pp
Overview
Envoy's BoringSSL gets confused by the Let's Encrypt root cross-signing hack around the expired DST Root CA X3, and the easy fix is to deselect the expired cert from the ca-certificates configuration.
5 6 7 8 9 10 11 12 13 14 15 16 17 |
# File 'modules/sslcert/manifests/ca_deselect_dstx3.pp', line 5
class sslcert::ca_deselect_dstx3 {
include sslcert
file_line { 'deselect_dst_root_ca_x3':
path => '/etc/ca-certificates.conf',
match => '^!?mozilla/DST_Root_CA_X3\.crt$',
line => '!mozilla/DST_Root_CA_X3.crt',
append_on_no_match => false,
# These are in the sslcert init.pp:
notify => Exec['update-ca-certificates'],
require => Package['ca-certificates'],
}
}
|