On Sun, 2014-12-21 at 18:45 +0800, Paul Wise wrote: > We would like to fix that by doing this: I've finished off the patch to dsa-puppet I was preparing for this, comments welcome, especially on the multi-line requires bit. -- bye, pabs https://wiki.debian.org/PaulWise
From 88300bc7390aaf061a1d970b8172e380bf146efd Mon Sep 17 00:00:00 2001
From: Paul Wise <pabs@debian.org>
Date: Tue, 30 Dec 2014 13:12:04 +0800
Subject: [PATCH] Enforce SSL configuration using puppet, add dirs for debian
and global CAs
---
modules/buildd/manifests/init.pp | 2 +-
modules/ssl/files/update-ca-certificates-dsa | 210 +++++++++++++++++++++++++++
modules/ssl/manifests/init.pp | 64 ++++++++
3 files changed, 275 insertions(+), 1 deletion(-)
create mode 100755 modules/ssl/files/update-ca-certificates-dsa
diff --git a/modules/buildd/manifests/init.pp b/modules/buildd/manifests/init.pp
index c4087d2..3c64de2 100644
--- a/modules/buildd/manifests/init.pp
+++ b/modules/buildd/manifests/init.pp
@@ -53,7 +53,7 @@ class buildd ($ensure=present) {
if ($::lsbmajdistrelease >= 8) {
file { '/etc/apt/apt.conf.d/puppet-https-buildd':
- content => "Acquire::https::buildd.debian.org::CaInfo \"/usr/share/ca-certificates/mozilla/AddTrust_External_Root.crt\";\n",
+ content => "Acquire::https::buildd.debian.org::CaInfo \"/etc/ssl/ca-debian/ca-certificates.crt\";\n",
}
} else {
file { '/etc/apt/apt.conf.d/puppet-https-buildd':
diff --git a/modules/ssl/files/update-ca-certificates-dsa b/modules/ssl/files/update-ca-certificates-dsa
new file mode 100755
index 0000000..b6a511a
--- /dev/null
+++ b/modules/ssl/files/update-ca-certificates-dsa
@@ -0,0 +1,210 @@
+#!/bin/sh -e
+# This is a copy of update-ca-certificates from the ca-certificates package in jessie
+# with patches applied to allow custom paths and to allow setting to default certs:
+# https://bugs.debian.org/774059
+# https://bugs.debian.org/774201
+#
+# update-ca-certificates
+#
+# Copyright (c) 2003 Fumitoshi UKAI <ukai@debian.or.jp>
+# Copyright (c) 2009 Philipp Kern <pkern@debian.org>
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02111-1301,
+# USA.
+#
+
+verbose=0
+fresh=0
+default=0
+CERTSCONF=/etc/ca-certificates.conf
+CERTSDIR=/usr/share/ca-certificates
+LOCALCERTSDIR=/usr/local/share/ca-certificates
+CERTBUNDLE=ca-certificates.crt
+ETCCERTSDIR=/etc/ssl/certs
+HOOKSDIR=/etc/ca-certificates/update.d
+
+while [ $# -gt 0 ];
+do
+ case $1 in
+ --verbose|-v)
+ verbose=1;;
+ --fresh|-f)
+ fresh=1;;
+ --default|-d)
+ default=1;;
+ fresh=1;;
+ --certsconf)
+ shift
+ CERTSCONF="$1";;
+ --certsdir)
+ shift
+ CERTSDIR="$1";;
+ --localcertsdir)
+ shift
+ LOCALCERTSDIR="$1";;
+ --certbundle)
+ shift
+ CERTBUNDLE="$1";;
+ --etccertsdir)
+ shift
+ ETCCERTSDIR="$1";;
+ --hooksdir)
+ shift
+ HOOKSDIR="$1";;
+ --help|-h|*)
+ echo "$0: [--verbose] [--fresh]"
+ exit;;
+ esac
+ shift
+done
+
+if [ ! -s "$CERTSCONF" ]
+then
+ fresh=1
+fi
+
+cleanup() {
+ rm -f "$TEMPBUNDLE"
+ rm -f "$ADDED"
+ rm -f "$REMOVED"
+}
+trap cleanup 0
+
+# Helper files. (Some of them are not simple arrays because we spawn
+# subshells later on.)
+TEMPBUNDLE="$(mktemp -t "${CERTBUNDLE}.tmp.XXXXXX")"
+ADDED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+REMOVED="$(mktemp -t "ca-certificates.tmp.XXXXXX")"
+
+# Adds a certificate to the list of trusted ones. This includes a symlink
+# in /etc/ssl/certs to the certificate file and its inclusion into the
+# bundle.
+add() {
+ CERT="$1"
+ PEM="$ETCCERTSDIR/$(basename "$CERT" .crt | sed -e 's/ /_/g' \
+ -e 's/[()]/=/g' \
+ -e 's/,/_/g').pem"
+ if ! test -e "$PEM" || [ "$(readlink "$PEM")" != "$CERT" ]
+ then
+ ln -sf "$CERT" "$PEM"
+ echo +$PEM >> "$ADDED"
+ fi
+ # Add trailing newline to certificate, if it is missing (#635570)
+ sed -e '$a\' "$CERT" >> "$TEMPBUNDLE"
+}
+
+remove() {
+ CERT="$1"
+ PEM="$ETCCERTSDIR/$(basename "$CERT" .crt).pem"
+ if test -L "$PEM"
+ then
+ rm -f "$PEM"
+ echo -$PEM >> "$REMOVED"
+ fi
+}
+
+cd $ETCCERTSDIR
+if [ "$fresh" = 1 ]; then
+ echo -n "Clearing symlinks in $ETCCERTSDIR..."
+ find . -type l -print | while read symlink
+ do
+ case $(readlink $symlink) in
+ $CERTSDIR*) rm -f $symlink;;
+ esac
+ done
+ find . -type l -print | while read symlink
+ do
+ test -f $symlink || rm -f $symlink
+ done
+ echo "done."
+fi
+
+echo -n "Updating certificates in $ETCCERTSDIR... "
+
+# Add default certificate authorities if requested
+if [ "$default" = 1; then
+ find -L "$CERTSDIR" -type f -name '*.crt' | sort | while read crt
+ do
+ add "$crt"
+ done
+fi
+
+# Handle certificates that should be removed. This is an explicit act
+# by prefixing lines in the configuration files with exclamation marks (!).
+sed -n -e '/^$/d' -e 's/^!//p' $CERTSCONF | while read crt
+do
+ remove "$CERTSDIR/$crt"
+done
+
+sed -e '/^$/d' -e '/^#/d' -e '/^!/d' $CERTSCONF | while read crt
+do
+ if ! test -f "$CERTSDIR/$crt"
+ then
+ echo "W: $CERTSDIR/$crt not found, but listed in $CERTSCONF." >&2
+ continue
+ fi
+ add "$CERTSDIR/$crt"
+done
+
+# Now process certificate authorities installed by the local system
+# administrator.
+if [ -d "$LOCALCERTSDIR" ]
+then
+ find -L "$LOCALCERTSDIR" -type f -name '*.crt' | sort | while read crt
+ do
+ add "$crt"
+ done
+fi
+
+rm -f "$CERTBUNDLE"
+
+ADDED_CNT=$(wc -l < "$ADDED")
+REMOVED_CNT=$(wc -l < "$REMOVED")
+
+if [ "$ADDED_CNT" -gt 0 ] || [ "$REMOVED_CNT" -gt 0 ]
+then
+ # only run if set of files has changed
+ if [ "$verbose" = 0 ]
+ then
+ c_rehash . > /dev/null
+ else
+ c_rehash .
+ fi
+fi
+
+chmod 0644 "$TEMPBUNDLE"
+mv -f "$TEMPBUNDLE" "$CERTBUNDLE"
+# Restore proper SELinux label after moving the file
+[ -x /sbin/restorecon ] && /sbin/restorecon "$CERTBUNDLE" >/dev/null 2>&1
+
+echo "$ADDED_CNT added, $REMOVED_CNT removed; done."
+
+if [ -d "$HOOKSDIR" ]
+then
+
+echo -n "Running hooks in $HOOKSDIR...."
+VERBOSE_ARG=
+[ "$verbose" = 0 ] || VERBOSE_ARG=--verbose
+eval run-parts $VERBOSE_ARG --test -- $HOOKSDIR | while read hook
+do
+ ( cat $ADDED
+ cat $REMOVED ) | $hook || echo E: $hook exited with code $?.
+done
+echo "done."
+
+fi
+
+# vim:set et sw=2:
+
diff --git a/modules/ssl/manifests/init.pp b/modules/ssl/manifests/init.pp
index 2d4a140..88a726a 100644
--- a/modules/ssl/manifests/init.pp
+++ b/modules/ssl/manifests/init.pp
@@ -11,6 +11,37 @@ class ssl {
ensure => installed,
}
+ file { '/etc/ca-certificates.conf':
+ ensure => link,
+ force => true,
+ target => '/dev/null',
+ notify => Exec['refresh_normal_hashes'],
+ }
+ file { '/etc/ca-certificates-debian.conf':
+ mode => 444,
+ content => 'mozilla/AddTrust_External_Root.crt',
+ notify => Exec['refresh_ca_debian_hashes'],
+ }
+ file { '/etc/ca-certificates-global.conf':
+ ensure => link,
+ force => true,
+ target => '/dev/null',
+ notify => Exec['refresh_ca_global_hashes'],
+ }
+
+ file { '/etc/apt/apt.conf.d/99dsa-ssl-ca-global':
+ mode => 444,
+ content => 'DPkg::Post-Invoke {"/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null"; }',
+ }
+
+ file { '/etc/ssl/certs/ssl-cert-snakeoil.pem':
+ ensure => absent,
+ notify => Exec['refresh_normal_hashes'],
+ }
+ file { '/etc/ssl/private/ssl-cert-snakeoil.key':
+ ensure => absent,
+ }
+
file { '/etc/ssl/servicecerts':
ensure => link,
purge => true,
@@ -28,6 +59,14 @@ class ssl {
force => true,
notify => Exec['refresh_normal_hashes'],
}
+ file { '/etc/ssl/ca-debian':
+ ensure => directory,
+ mode => '0755',
+ }
+ file { '/etc/ssl/ca-global':
+ ensure => directory,
+ mode => '0755',
+ }
file { '/etc/ssl/debian':
ensure => directory,
source => 'puppet:///files/empty/',
@@ -78,6 +117,11 @@ class ssl {
require => Package['ssl-cert'],
}
+ file { '/usr/local/sbin/update-ca-certificates-dsa':
+ mode => '0555',
+ source => 'puppet:///modules/ssl/update-ca-certificates-dsa',
+ }
+
exec { 'retire_debian_links':
command => 'find -lname "../servicecerts/*" -exec rm {} +',
cwd => '/etc/ssl/certs',
@@ -89,6 +133,26 @@ class ssl {
refreshonly => true,
require => Package['openssl'],
}
+ exec { 'refresh_ca_debian_hashes':
+ command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --certsconf /etc/ca-certificates-debian.conf --localcertsdir /dev/null --etccertsdir /etc/ssl/ca-debian --hooksdir /dev/null',
+ refreshonly => true,
+ require => [
+ Package['ca-certificates'],
+ File['/etc/ssl/ca-debian'],
+ File['/etc/ca-certificates-debian.conf'],
+ File['/usr/local/sbin/update-ca-certificates-dsa'],
+ ]
+ }
+ exec { 'refresh_ca_global_hashes':
+ command => '/usr/local/sbin/update-ca-certificates-dsa --fresh --default --certsconf /etc/ca-certificates-global.conf --etccertsdir /etc/ssl/ca-global --hooksdir /dev/null',
+ refreshonly => true,
+ require => [
+ Package['ca-certificates'],
+ File['/etc/ssl/ca-world'],
+ File['/etc/ca-certificates-world.conf'],
+ File['/usr/local/sbin/update-ca-certificates-dsa'],
+ ]
+ }
exec { 'refresh_normal_hashes':
# NOTE 1: always use update-ca-certificates to manage hashes in
# /etc/ssl/certs otherwise /etc/ssl/ca-certificates.crt will
--
2.1.4
Attachment:
signature.asc
Description: This is a digitally signed message part