Add CA cert to keystore as a trustedcert

theforeman · Feb 28, 2019 · fa2d4e9 · fa2d4e9
1 parent 7d07cac
commit fa2d4e9
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 5 deletions.
diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -110,6 +110,12 @@
       command => "openssl pkcs12 -export -in ${tomcat_cert} -inkey ${tomcat_key} -out ${keystore} -name tomcat -CAfile ${ca_cert} -caname root -password \"file:${password_file}\" -passin \"file:${ca_key_password_file}\" ",
       creates => $keystore,
     } ~>
+    file { $keystore:
+      ensure => file,
+      owner  => 'tomcat',
+      group  => $group,
+      mode   => '0640',
+    } ~>
     certs::keypair { 'candlepin':
       key_pair  => Cert[$java_client_cert_name],
       key_file  => $client_key,
@@ -122,8 +128,12 @@
       mode   => '0750',
     } ~>
     exec { 'import CA into Candlepin truststore':
-      command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -noprompt",
-      creates => $amqp_truststore,
+      command => "keytool -import -trustcacerts -v -keystore ${keystore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -noprompt",
+      unless  => "keytool -list -keystore ${keystore} -storepass ${keystore_password} -alias ${alias}",
+    } ~>
+    exec { 'import CA into Candlepin AMQP truststore':
+      command => "keytool -import -v -keystore ${amqp_truststore} -storepass ${keystore_password} -alias ${alias} -file ${ca_cert} -trustcacerts -noprompt",
+      unless  => "keytool -list -keystore ${amqp_keystore} -storepass ${keystore_password} -alias ${alias}",
     } ~>
     exec { 'import client certificate into Candlepin keystore':
       # Stupid keytool doesn't allow you to import a keypair.  You can only import a cert.  Hence, we have to

diff --git a/spec/acceptance/candlepin_spec.rb b/spec/acceptance/candlepin_spec.rb
@@ -79,8 +79,8 @@
 
     describe file('/etc/candlepin/certs/keystore') do
       it { should be_file }
-      it { should be_mode 644 }
-      it { should be_owned_by 'root' }
+      it { should be_mode 640 }
+      it { should be_owned_by 'tomcat' }
       it { should be_grouped_into 'root' }
     end
 
@@ -101,8 +101,9 @@
     describe command("keytool -list -keystore /etc/candlepin/certs/keystore -storepass $(cat #{keystore_password_file})") do
       its(:exit_status) { should eq 0 }
       its(:stdout) { should match(/^Keystore type: JKS$/i) }
-      its(:stdout) { should match(/^Your keystore contains 1 entry$/) }
+      its(:stdout) { should match(/^Your keystore contains 2 entries$/) }
       its(:stdout) { should match(/^tomcat, .+, PrivateKeyEntry, $/) }
+      its(:stdout) { should match(/^candlepin-ca, .+, trustedCertEntry, $/) }
     end
 
     describe command("keytool -list -keystore /etc/candlepin/certs/amqp/candlepin.truststore -storepass $(cat #{keystore_password_file})") do