36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
|
# File 'modules/sslcert/manifests/chainedcert.pp', line 36
define sslcert::chainedcert(
Wmflib::Ensure $ensure = present,
String $group = 'ssl-cert',
Boolean $skip_private = false,
) {
require sslcert
$chainedfile = "/etc/ssl/localcerts/${title}.chained.crt"
$chainedkeyfile = "/etc/ssl/private/${title}.chained.crt.key"
$chainfile = "/etc/ssl/localcerts/${title}.chain.crt"
if $ensure == 'present' {
$inpath = "/etc/ssl/localcerts/${title}.crt"
$script = '/usr/local/sbin/x509-bundle'
exec { "x509-bundle ${title}-chained":
path => 'bin:/usr/bin',
cwd => '/etc/ssl/localcerts',
command => "${script} --skip-root -c ${inpath} -o ${chainedfile}",
unless => "[ ${chainedfile} -nt ${inpath} -a ${chainedfile} -nt ${script} ]",
require => [ File[$inpath], File[$script] ],
}
exec { "x509-bundle ${title}-chain":
path => 'bin:/usr/bin',
cwd => '/etc/ssl/localcerts',
command => "${script} --skip-root --skip-first -c ${inpath} -o ${chainfile}",
unless => "[ ${chainfile} -nt ${inpath} -a ${chainfile} -nt ${script} ]",
require => [ File[$inpath], File[$script] ],
}
if !$skip_private {
$privatekeyfile = "/etc/ssl/private/${title}.key"
exec { "x509-bundle ${title}-chainedkey":
path => 'bin:/usr/bin',
cwd => '/etc/ssl/localcerts',
command => "${script} --skip-root -c ${inpath} -p ${privatekeyfile} -o ${chainedkeyfile}",
unless => "[ ${chainedkeyfile} -nt ${inpath} -a ${chainedkeyfile} -nt ${script} -a ${chainedkeyfile} -nt ${privatekeyfile} ]",
require => [ File[$inpath], File[$privatekeyfile], File[$script] ],
}
}
# set owner/group/permissions on the chained/chain files
file { $chainedfile:
ensure => $ensure,
mode => '0444',
owner => 'root',
group => $group,
require => Exec["x509-bundle ${title}-chained"],
}
file { $chainfile:
ensure => $ensure,
mode => '0444',
owner => 'root',
group => $group,
require => Exec["x509-bundle ${title}-chain"],
}
if !$skip_private {
file { $chainedkeyfile:
ensure => $ensure,
mode => '0440',
owner => 'root',
group => $group,
show_diff => false,
backup => false,
require => Exec["x509-bundle ${title}-chainedkey"],
}
}
} else {
file { [$chainedfile, $chainfile]:
ensure => $ensure,
}
}
}
|