Defined Type: cfssl::ocsp

Defined in:
modules/cfssl/manifests/ocsp.pp

Overview

SPDX-License-Identifier: Apache-2.0 Title should match the cfssl::signer title

Parameters:

  • ocsprefresh_update (Boolean) (defaults to: false)

    if true update the ocsp response table otherwise just check for updates

  • common_name (Stdlib::Fqdn) (defaults to: $facts['networking']['fqdn'])
  • listen_addr (Stdlib::IP::Address) (defaults to: '127.0.0.1')
  • listen_port (Stdlib::Port) (defaults to: 8889)
  • log_level (Cfssl::Loglevel) (defaults to: 'info')
  • refresh_interval (Pattern[/\d+h/]) (defaults to: '96h')
  • additional_names (Array[Cfssl::Common_name]) (defaults to: [])
  • responses_file (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • db_conf_file (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • key_content (Optional[Sensitive[String]]) (defaults to: undef)
  • cert_content (Optional[String]) (defaults to: undef)
  • ca_file (Optional[Stdlib::Unixpath]) (defaults to: undef)
  • db_driver (Cfssl::DB_driver) (defaults to: 'mysql')


4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
# File 'modules/cfssl/manifests/ocsp.pp', line 4

define cfssl::ocsp (
    Stdlib::Fqdn                $common_name        = $facts['networking']['fqdn'],
    Stdlib::IP::Address         $listen_addr        = '127.0.0.1',
    Stdlib::Port                $listen_port        = 8889,
    Cfssl::Loglevel             $log_level          = 'info',
    Pattern[/\d+h/]             $refresh_interval   = '96h',
    Boolean                     $ocsprefresh_update = false,
    Array[Cfssl::Common_name]   $additional_names   = [],
    Optional[Stdlib::Unixpath]  $responses_file     = undef,
    Optional[Stdlib::Unixpath]  $db_conf_file       = undef,
    Optional[Sensitive[String]] $key_content        = undef,
    Optional[String]            $cert_content       = undef,
    Optional[Stdlib::Unixpath]  $ca_file            = undef,
    Cfssl::DB_driver            $db_driver          = 'mysql',
) {
    include cfssl
    include cfssl::client

    $safe_title         = $title.regsubst('\W', '_', 'G')
    $outdir             = "${cfssl::ssl_dir}/ocsp"
    $refresh_timer      = "cfssl-ocsprefresh-${safe_title}"
    $serve_service      = "cfssl-ocspserve@${safe_title}"
    $safe_cert_name     = "OCSP ${title} ${common_name}".regsubst('[^\w\-]', '_', 'G')
    $key_path           = "${outdir}/${safe_cert_name}-key.pem"
    $cert_path          = "${outdir}/${safe_cert_name}.pem"

    $_db_conf_file = pick($db_conf_file, "${cfssl::conf_dir}/db.conf")
    $_ca_file           = pick($ca_file, "${cfssl::conf_dir}/ca/ca.pem")
    $_responses_file    = pick($responses_file, "${cfssl::ocsp_dir}/${safe_title}.ocsp")

    ensure_packages(['python3-pymysql', 'python3-cryptography'])
    ensure_resource('file', '/usr/local/sbin/cfssl-ocsprefresh', {
                      ensure => file,
                      mode   => '0550',
                      source => 'puppet:///modules/cfssl/cfssl_ocsprefresh.py'})

    # create an empty response file the ocsp_responder can start
    file{ $_responses_file:
        ensure => file,
        owner  => 'root',
        group  => 'root',
    }
    $before_certs = $db_driver ? {
        'mysql' => Systemd::Timer::Job[$refresh_timer],
        default => [],
    }
    if ($key_content and !$cert_content) or ($cert_content and !$key_content) {
        fail('you must provide either both or neither key/cert_content')
    } elsif $key_content and $cert_content {

        file {$cert_path:
            owner   => 'root',
            group   => 'root',
            mode    => '0444',
            content => $cert_content,
            notify  => Service[$serve_service],
            before  => $before_certs,
        }
        file {$key_path:
            owner     => 'root',
            group     => 'root',
            mode      => '0400',
            show_diff => false,
            content   => $key_content,
            notify    => Service[$serve_service],
            before    => $before_certs,
        }
    } else {
        $cert = pick($cfssl::client::mutual_tls_client_cert, $facts['puppet_config']['hostcert'])
        $key = pick($cfssl::client::mutual_tls_client_key, $facts['puppet_config']['hostprivkey'])
        cfssl::cert{$safe_cert_name:
            common_name   => $common_name,
            label         => $safe_title,
            hosts         => $additional_names,
            profile       => 'ocsp',
            outdir        => $outdir,
            signer_config => {'config_file' => $cfssl::client::conf_file},
            tls_cert      => $cert,
            tls_key       => $key,
            notify        => Service[$serve_service],
            before        => $before_certs,
        }
    }
    $update = $ocsprefresh_update ? {
        true    => '--update',
        default => '',
    }
    $refresh_command = @("CMD"/L)
        /usr/local/sbin/cfssl-ocsprefresh ${update} \
        --responder-cert ${cert_path} --responder-key ${key_path} \
        --ca-file ${_ca_file} --responses-file ${_responses_file} \
        --dbconfig ${_db_conf_file} \
        --restart-service '${serve_service}' ${safe_title} \
        | CMD

    systemd::service{$serve_service:
        ensure  => present,
        content => template('cfssl/cfssl-ocspserve.service.erb'),
        restart => true,
    }
    if $db_driver == 'mysql' {
        systemd::timer::job{$refresh_timer:
            ensure      => present,
            description => "OCSP Refresh job - ${title}",
            user        => 'root',
            interval    => {'start' => 'OnUnitInactiveSec', 'interval' => '1h'},
            command     => $refresh_command,
        }
    }
}