update-ca-trust overwrites /etc/pki/java/cacerts

[ktreese]

For Red Hat 7 installations, it appears that the invocation of update-ca-trust overwrites /etc/pki/java/cacerts, which occurs during the Exec[enable_ca_trust]

Debug: Exec[enable_ca_trust](provider=posix): Executing check 'update-ca-trust check | grep DISABLED'
Debug: Executing: 'update-ca-trust check | grep DISABLED'

To illustrate this from the command line:

~ # keytool -importcert -noprompt -alias java -file /opt/conf/test.pem -keystore /etc/pki/java/cacerts -trustcacerts
Enter keystore password:  
Certificate was added to keystore
~ # keytool -list -keystore /etc/pki/java/cacerts -alias java
Enter keystore password:  
java, May 24, 2017, trustedCertEntry, 
Certificate fingerprint (SHA1): B2:6A:3C:22:CC:49:4B:EF:2F:27:51:74:0F:F9:4F:B6:E1:4F:3G:E3
~ # update-ca-trust check | grep DISABLED
~ # keytool -list -keystore /etc/pki/java/cacerts -alias java
Enter keystore password:  
keytool error: java.lang.Exception: Alias <java> does not exist

This plays havoc while attempting to use https://github.com/puppetlabs/puppetlabs-java_ks:

    java_ks { 'java:cacerts':
      ensure       => latest,
      certificate  => '/opt/conf/test.pem',
      target       => '/etc/pki/java/cacerts',
      password     => 'changeit',
      trustcacerts => true,
      require      => File['/opt/conf/test.pem'],
    }

I understand Red Hat 7 is not inclusive of the supported platforms, but thought some awareness should be raised on this one. Thank you!

[h0tw1r3]

@ktreese This is not specific to RHEL 7. update-ca-trust is a intended to completely manage all ca stores (java included). Essentially this module does everything java_ks does. Mixing the two will never work.

[ktreese]

Thank you @h0tw1r3. Perhaps I'm missing it, but how would one go about including a cert within a specific java keystore, and pass in the password?

[alexjfisher]

@ktreese See #38 for why enable_ca_trust is updating your certs.

[ktreese]

@alexjfisher Thanks!