summaryrefslogtreecommitdiffstats
path: root/manifests/certmonger/ca
AgeCommit message (Collapse)AuthorFilesLines
2017-08-25Add /bin to PATH for CRL cronjobJuan Antonio Osorio Robles1-1/+1
Checking the root's mail (/var/mail/root) I finally saw the root cause of the CRL cronjob not working. /bin/sh: curl: command not found now, curl, (and most commands used by that cronjob) is in the /bin bash, so we need to add it to the environment's PATH for the cronjob. Change-Id: If10855b801782eeaf2006cd57071d74d13daf8c2 Closes-Bug: #1712404 (cherry picked from commit 139ac85028947f476a085e89bd54f3dfacd886cf)
2017-08-22Add -s (silent) to curl command for CRL refreshJuan Antonio Osorio Robles1-1/+1
Without it, it doesn't reload the services it should. Change-Id: I43e6188700deb585f905ca700e69b6875f0ded45 Closes-Bug: #1712404
2017-07-15Update resource references for dependenciesEmilien Macchi1-1/+1
The latest version of puppet now reports these as catalog failures so this change removes the unnecessary references and the references should be updated. Closes-Bug: #1702964 Change-Id: Iebc547aa92f9f40e4a633c57d79e6c9cddb5dd28
2017-06-26Change CRL refresh to run every 2 hoursJuan Antonio Osorio Robles1-3/+3
The default CA issues CRLs for 4 hours by default. So we need to change these values to reflect this, else we'll get verification issues due to the CRL having expired before its refreshed. However, the nextupdate value for the CRLs might not be aligned with the cron job. And getting this alignment is not entirely trivial. So I opted for updating every 2 hours to address this. Change-Id: I732b400462c5cabd7c6c18c007fc9e8c87b700d3
2017-06-08Add resource to fetch CRLJuan Antonio Osorio Robles1-0/+149
This will fetch the CRL file from the specified file or URL. Furtherly it will set up a cron job to refresh the crl file once a week and notify the needed services. bp tls-via-certmonger Change-Id: I38e163e8ebb80ea5f79cfb8df44a71fdcd284e04
2017-04-07TLS-everywhere: Add resources for libvirt's cert for live migrationJuan Antonio Osorio Robles1-0/+42
This merely requests the certificates that will be used for libvirt's live migration if TLS-everywhere is enabled. bp tls-via-certmonger Change-Id: If18206d89460f6660a81aabc4ff8b97f1f99bba7
2016-09-20certmonger: improve orchestration for puppet4Emilien Macchi1-4/+6
The extract-and-trust-ca actually needs /var/lib/certmonger/local/creds file to be created, which is created when certmonger is started, not when package is installed. This patch change the exec dependency to run it only when service is started. Also, since the service create the file, let's relax the Exec a little bit by allowing to retry 5 times after 1s break in case the Exec fails, for example if service takes more than 5 seconds to create this file. It will avoid us some race condition in the deployment. Change-Id: I4cf4a04bddb8f042e8e8f7e1d1b69f846c533e3b
2016-07-21Add class to use certmonger's local CAJuan Antonio Osorio Robles1-0/+37
This class extracts the certificate and adds it to the trusted certs. bp tls-via-certmonger Change-Id: I6dc1e0469cd7dbbb51659c8f29975d25b2941ec3