BBlack has uploaded a new change for review.
https://gerrit.wikimedia.org/r/197821
Change subject: OCSP support for install_certificate
......................................................................
OCSP support for install_certificate
Change-Id: I055bd05dc102d22acfbdf3a7fed9cc25ff096c12
---
M manifests/certs.pp
M modules/sslcert/files/x509-bundle
M modules/sslcert/manifests/chainedcert.pp
3 files changed, 54 insertions(+), 17 deletions(-)
git pull ssh://gerrit.wikimedia.org:29418/operations/puppet
refs/changes/21/197821/1
diff --git a/manifests/certs.pp b/manifests/certs.pp
index 70c074d..72a6398 100644
--- a/manifests/certs.pp
+++ b/manifests/certs.pp
@@ -23,8 +23,15 @@
}
}
- sslcert::chainedcert { $name:
- group => $group,
+ sslcert::chainedcert { "${name}-chained":
+ certname => $name,
+ group => $group
+ }
+
+ sslcert::chainedcert { "${name}-ocsp":
+ certname => $name,
+ group => $group,
+ ocsp => true,
}
}
diff --git a/modules/sslcert/files/x509-bundle
b/modules/sslcert/files/x509-bundle
index c87f8b7..546fb94 100644
--- a/modules/sslcert/files/x509-bundle
+++ b/modules/sslcert/files/x509-bundle
@@ -35,6 +35,9 @@
parser.add_argument('--skip-root', '-s', dest="skip_root",
help="skip the final (root) certificate",
action='store_true')
+ parser.add_argument('--skip-self', '-s', dest="skip_self",
+ help="skip own cert (only include signers)",
+ action='store_true')
parser.add_argument('--certificate', '-c', dest="cert",
type=file_exists,
help="certificate filename",
@@ -91,8 +94,11 @@
def main():
args = parse_options()
certpath = traverse_tree(args.cert, args.cadir)
+
if args.skip_root:
certpath.pop()
+ if args.skip_self:
+ certpath.pop(0)
pretty = [ certpath[0] ] + [ os.readlink(f) for f in certpath[1:] ]
print(" -> ".join(pretty))
diff --git a/modules/sslcert/manifests/chainedcert.pp
b/modules/sslcert/manifests/chainedcert.pp
index 793b2d4..21d1ec4 100644
--- a/modules/sslcert/manifests/chainedcert.pp
+++ b/modules/sslcert/manifests/chainedcert.pp
@@ -3,19 +3,32 @@
# Creates a X.509 certificate chain based on an existing certificate on the
# system. Implicitly depends on sslcert::certificate.
#
-# The chained certificate is written to /etc/ssl/localcerts as
-# ${title}.chained.crt. The chain is constructed automatically, up to a
-# self-signed CA as found in the /etc/ssl/certs system directory. If multiple
-# paths to a CA exist -as is the case with cross-signed authorities- the
-# shortest path is picked. The top-most certificate (root CA) is NOT included,
-# to minimize the size's chain for performance reasons, with no loss of
-# usability.
+# If generating a default chain cert, the chained certificate is written to
+# /etc/ssl/localcerts as ${certname}.chained.crt. The chain is constructed
+# automatically, up to a self-signed CA as found in the /etc/ssl/certs system
+# directory. If multiple paths to a CA exist -as is the case with cross-signed
+# authorities- the shortest path is picked. The top-most certificate (root CA)
+# is NOT included, to minimize the size's chain for performance reasons, with
+# no loss of usability.
+#
+# If generating an OCSP chain cert, the OCSP cert file is written to
+# /etc/ssl/localcerts as ${certname}.ocsp.crt. While the chained file
+# contains the input cert and all signers except the root, the OCSP cert does
+# *not* contain the input cert, but does include the root.
#
# === Parameters
+#
+# [*certname*]
+# Name of the related sslcert::cerfificate resource,
+# e.g. "pinkunicorn.wikimedia.org".
#
# [*ensure*]
# If 'present', the certificate chain will be installed; if 'absent', it
# will be removed. The default is 'present'.
+#
+# [*ocsp*]
+# Boolean, default false. If true, will generate an OCSP cert file rather
+# than a regular chained cert.
#
# === Examples
#
@@ -25,31 +38,42 @@
#
define sslcert::chainedcert(
+ $certname,
$ensure=present,
$group='ssl-cert',
+ $ocsp=false,
) {
require sslcert
validate_ensure($ensure)
+ if $ocsp {
+ $ctype = 'ocsp'
+ $arg = '--skip-self'
+ }
+ else {
+ $ctype = 'chained'
+ $arg = '--skip-root'
+ }
+
if $ensure == 'present' {
- exec { "x509-bundle ${title}":
- creates => "/etc/ssl/localcerts/${title}.chained.crt",
- command => "/usr/local/sbin/x509-bundle --skip-root -c
${title}.crt -o ${title}.chained.crt",
+ exec { "x509-bundle ${certname}-${ctype}":
+ creates => "/etc/ssl/localcerts/${certname}.${ctype}.crt",
+ command => "/usr/local/sbin/x509-bundle ${arg} -c ${certname}.crt
-o ${certname}.${ctype}.crt",
cwd => '/etc/ssl/localcerts',
- require => Sslcert::Certificate[$title],
+ require => Sslcert::Certificate[$certname],
}
- # set owner/group/permissions on the chained file
- file { "/etc/ssl/localcerts/${title}.chained.crt":
+ # set owner/group/permissions on the file
+ file { "/etc/ssl/localcerts/${certname}.${ctype}.crt":
ensure => $ensure,
mode => '0444',
owner => 'root',
group => $group,
- require => Exec["x509-bundle ${title}"],
+ require => Exec["x509-bundle ${certname}-${ctype}"],
}
} else {
- file { "/etc/ssl/localcerts/${title}.chained.crt":
+ file { "/etc/ssl/localcerts/${certname}.${ctype}.crt":
ensure => $ensure,
}
}
--
To view, visit https://gerrit.wikimedia.org/r/197821
To unsubscribe, visit https://gerrit.wikimedia.org/r/settings
Gerrit-MessageType: newchange
Gerrit-Change-Id: I055bd05dc102d22acfbdf3a7fed9cc25ff096c12
Gerrit-PatchSet: 1
Gerrit-Project: operations/puppet
Gerrit-Branch: production
Gerrit-Owner: BBlack <[email protected]>
_______________________________________________
MediaWiki-commits mailing list
[email protected]
https://lists.wikimedia.org/mailman/listinfo/mediawiki-commits
