51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
|
# File 'modules/sslcert/manifests/certificate.pp', line 51
define sslcert::certificate(
$ensure=present,
$group='ssl-cert',
$chain=true,
$skip_private=false,
$use_cergen=false,
) {
require sslcert
require sslcert::dhparam
if $use_cergen {
$private_key_source="certificates/${title}/${title}.key.private.pem"
} else {
$private_key_source="ssl/${title}.key"
}
# Look for a matching certificate on the puppet master first, and
# fallback to puppet.git if that fails.
$secrets_base = '/etc/puppet/private/modules/secret/secrets'
if !$use_cergen and find_file("${secrets_base}/ssl/${title}.crt") {
$cert_content = secret("ssl/${title}.crt")
$cert_source = undef
} elsif $use_cergen and find_file("${secrets_base}/certificates/${title}/${title}.crt.pem") {
$cert_content = secret("certificates/${title}/${title}.crt.pem")
$cert_source = undef
} else {
$cert_content = undef
$cert_source = "puppet:///modules/profile/ssl/${title}.crt"
}
if $ensure != 'absent' {
file { "/etc/ssl/localcerts/${title}.crt":
ensure => $ensure,
owner => 'root',
group => $group,
mode => '0444',
content => $cert_content,
source => $cert_source,
# make sure we're not accidentally shipping combined
# certs (private + public)
validate_cmd => '/bin/sh -c "! grep --quiet \"PRIVATE KEY\" \"%\""',
}
} else {
file { "/etc/ssl/localcerts/${title}.crt":
ensure => $ensure,
}
}
if !$skip_private {
file { "/etc/ssl/private/${title}.key":
ensure => $ensure,
owner => 'root',
group => $group,
mode => '0440',
show_diff => false,
backup => false,
content => secret($private_key_source),
}
}
if $chain {
sslcert::chainedcert { $title:
ensure => $ensure,
group => $group,
skip_private => $skip_private,
}
}
}
|