Revision de946a47
Added by Ewoud Kohl van Wijngaarden about 3 years ago
| manifests/candlepin.pp | ||
|---|---|---|
|
$group = 'tomcat',
|
||
|
$client_keypair_group = 'tomcat',
|
||
|
) inherits certs {
|
||
|
|
||
|
Exec {
|
||
|
logoutput => 'on_failure',
|
||
|
path => ['/bin/', '/usr/bin'],
|
||
|
}
|
||
|
|
||
|
$java_client_cert_name = 'java-client'
|
||
|
$artemis_alias = 'artemis-client'
|
||
|
$artemis_client_dn = "CN=${hostname}, OU=${org_unit}, O=candlepin, ST=${state}, C=${country}"
|
||
| ... | ... | |
|
mode => '0440',
|
||
|
} ~>
|
||
|
exec { 'candlepin-generate-ssl-keystore':
|
||
|
command => "openssl pkcs12 -export -in ${tomcat_cert} -inkey ${tomcat_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_path}\"",
|
||
|
unless => "keytool -list -keystore ${keystore} -storepass:file ${keystore_password_path} -alias tomcat | grep $(openssl x509 -noout -fingerprint -in ${tomcat_cert} | cut -d '=' -f 2)",
|
||
|
command => "openssl pkcs12 -export -in ${tomcat_cert} -inkey ${tomcat_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${keystore_password_path}\"",
|
||
|
unless => "keytool -list -keystore ${keystore} -storepass:file ${keystore_password_path} -alias tomcat | grep $(openssl x509 -noout -fingerprint -in ${tomcat_cert} | cut -d '=' -f 2)",
|
||
|
logoutput => 'on_failure',
|
||
|
path => ['/bin/', '/usr/bin'],
|
||
|
} ~>
|
||
|
file { $keystore:
|
||
|
ensure => file,
|
||
| ... | ... | |
|
key_owner => $user,
|
||
|
key_group => $client_keypair_group,
|
||
|
key_mode => '0440',
|
||
|
} ~>
|
||
|
}
|
||
|
|
||
|
file { $truststore_password_path:
|
||
|
ensure => file,
|
||
|
content => $truststore_password,
|
||
|
owner => 'root',
|
||
|
group => $group,
|
||
|
mode => '0440',
|
||
|
} ~>
|
||
|
exec { 'Create Candlepin truststore with CA':
|
||
|
command => "keytool -import -v -keystore ${truststore} -alias ${alias} -file ${ca_cert} -noprompt -storetype pkcs12 -storepass:file ${truststore_password_path}",
|
||
|
unless => "keytool -list -keystore ${truststore} -alias ${alias} -storepass:file ${truststore_password_path}",
|
||
|
} ~>
|
||
|
}
|
||
|
|
||
|
truststore_certificate { "${truststore}:${alias}":
|
||
|
ensure => present,
|
||
|
password_file => $truststore_password_path,
|
||
|
certificate => $ca_cert,
|
||
|
}
|
||
|
|
||
|
truststore_certificate { "${truststore}:${artemis_alias}":
|
||
|
ensure => present,
|
||
|
password_file => $truststore_password_path,
|
||
|
certificate => $client_cert,
|
||
|
}
|
||
|
|
||
|
file { $truststore:
|
||
|
ensure => file,
|
||
|
owner => 'root',
|
||
|
group => $group,
|
||
|
mode => '0640',
|
||
|
} ~>
|
||
|
exec { 'import client certificate into Candlepin truststore':
|
||
|
command => "keytool -import -v -keystore ${truststore} -alias ${artemis_alias} -file ${client_cert} -noprompt -storepass:file ${truststore_password_path}",
|
||
|
unless => "keytool -list -keystore ${truststore} -alias ${artemis_alias} -storepass:file ${truststore_password_path}",
|
||
|
}
|
||
|
}
|
||
|
}
|
||
Also available in: Unified diff
Fixes #31574: Ensure truststore certificates get updated when they change