Puppet Class: sslcert::ca_deselect_dstx3

Defined in:
modules/sslcert/manifests/ca_deselect_dstx3.pp

Overview

SPDX-License-Identifier: Apache-2.0 Envoy's BoringSSL gets confused by the Let's Encrypt root cross-signing hack around the expired DST Root CA X3, and the easy fix is to deselect the expired cert from the ca-certificates configuration.



6
7
8
9
10
11
12
13
14
15
16
17
18
# File 'modules/sslcert/manifests/ca_deselect_dstx3.pp', line 6

class sslcert::ca_deselect_dstx3 {
    include sslcert

    file_line { 'deselect_dst_root_ca_x3':
        path               => '/etc/ca-certificates.conf',
        match              => '^!?mozilla/DST_Root_CA_X3\.crt$',
        line               => '!mozilla/DST_Root_CA_X3.crt',
        append_on_no_match => false,
        # These are in the sslcert init.pp:
        notify             => Exec['update-ca-certificates'],
        require            => Package['ca-certificates'],
    }
}