Defined Type: sslcert::chainedcert

Defined in:

modules/sslcert/manifests/chainedcert.pp

Overview

Parameters:

• ensure (Wmflib::Ensure) (defaults to: present)
• group (String) (defaults to: 'ssl-cert')
• skip_private (Boolean) (defaults to: false)

# File 'modules/sslcert/manifests/chainedcert.pp', line 36

define sslcert::chainedcert(
  Wmflib::Ensure $ensure       = present,
  String         $group        = 'ssl-cert',
  Boolean        $skip_private = false,
) {
    require sslcert

    $chainedfile = "/etc/ssl/localcerts/${title}.chained.crt"
    $chainedkeyfile = "/etc/ssl/private/${title}.chained.crt.key"
    $chainfile = "/etc/ssl/localcerts/${title}.chain.crt"

    if $ensure == 'present' {
        $inpath = "/etc/ssl/localcerts/${title}.crt"
        $script = '/usr/local/sbin/x509-bundle'
        exec { "x509-bundle ${title}-chained":
            path    => 'bin:/usr/bin',
            cwd     => '/etc/ssl/localcerts',
            command => "${script} --skip-root -c ${inpath} -o ${chainedfile}",
            unless  => "[ ${chainedfile} -nt ${inpath} -a ${chainedfile} -nt ${script} ]",
            require => [ File[$inpath], File[$script] ],
        }
        exec { "x509-bundle ${title}-chain":
            path    => 'bin:/usr/bin',
            cwd     => '/etc/ssl/localcerts',
            command => "${script} --skip-root --skip-first -c ${inpath} -o ${chainfile}",
            unless  => "[ ${chainfile} -nt ${inpath} -a ${chainfile} -nt ${script} ]",
            require => [ File[$inpath], File[$script] ],
        }
        if !$skip_private {
            $privatekeyfile = "/etc/ssl/private/${title}.key"
            exec { "x509-bundle ${title}-chainedkey":
                path    => 'bin:/usr/bin',
                cwd     => '/etc/ssl/localcerts',
                command => "${script} --skip-root -c ${inpath} -p ${privatekeyfile} -o ${chainedkeyfile}",
                unless  => "[ ${chainedkeyfile} -nt ${inpath} -a ${chainedkeyfile} -nt ${script} -a ${chainedkeyfile} -nt ${privatekeyfile} ]",
                require => [ File[$inpath], File[$privatekeyfile], File[$script] ],
            }
        }

        # set owner/group/permissions on the chained/chain files
        file { $chainedfile:
            ensure  => $ensure,
            mode    => '0444',
            owner   => 'root',
            group   => $group,
            require => Exec["x509-bundle ${title}-chained"],
        }
        file { $chainfile:
            ensure  => $ensure,
            mode    => '0444',
            owner   => 'root',
            group   => $group,
            require => Exec["x509-bundle ${title}-chain"],
        }
        if !$skip_private {
            file { $chainedkeyfile:
                ensure    => $ensure,
                mode      => '0440',
                owner     => 'root',
                group     => $group,
                show_diff => false,
                backup    => false,
                require   => Exec["x509-bundle ${title}-chainedkey"],
            }
        }
    } else {
        file { [$chainedfile, $chainfile]:
            ensure => $ensure,
        }
    }
}