Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support distrusting ca's on Debian; Changed ca_cert::ca parameter names and meaning #107

Merged
merged 3 commits into from
Jun 5, 2024
Merged

Support distrusting ca's on Debian; Changed ca_cert::ca parameter names and meaning #107

merged 3 commits into from
Jun 5, 2024

Conversation

h-haaks
Copy link
Contributor

@h-haaks h-haaks commented Jun 5, 2024
edited
Loading

Pull Request (PR) description

Rework of ca_cert::ca to support trusting and distrusting ca's provided by the ca-certificates package on Debian.
Also makes it possible to move from distrusted to trusted again on other distros ( ensure absent from distrusted_cert_dir)

To support this I have redefined the meaning of ca_cert::ca::ensure a bit

  • present/absent is now used to manage certificates in trusted_cert_dir
  • trusted/distrusted is now used to manage certificates in distrusted_cert_dir og Debian's ca_certificates_conf

ca_cert::ca::ca_textis renamed to ca_cert::ca::contentand used directly as file::content
ca_cert::ca::source is now used directly as archive::source

ca_cert::ca::verify_https_cert parameter is renamed to ca_cert::ca::allow_insecure_source to better align with archive::allow_insecure

This Pull Request (PR) fixes the following issues

Fixes #96

h-haaks
h-haaks commented Jun 5, 2024
View reviewed changes
spec/acceptance/ca_cert_ca_spec.rb
@@ -2,31 +2,32 @@

case host_inventory['facter']['os']['family']
when 'Debian'
trusted_ca_file_remote = '/usr/local/share/ca-certificates/Globalsign_Org_Intermediate.crt'
absent_ca_file_remote = '/etc/pki/ca-trust/source/blacklist/CACert.crt'
trusted_ca_file_remote = '/usr/local/share/ca-certificates/DigiCert_G5_TLS_ECC_SHA384_2021_CA1.crt'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I switch from Globalsign to Digicert certificate here because globalsign certificates are only available for download i DER format.

h-haaks
h-haaks commented Jun 5, 2024
View reviewed changes
spec/acceptance/ca_cert_ca_spec.rb Outdated
trusted_ca_file_text = '/etc/pki/ca-trust/source/anchors/InCommon.crt'
untrusted_ca_file_remote = '/etc/pki/ca-trust/source/blacklist/DigiCert_Global_Root_G3.crt'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Switched to a ca that actually exists in the trusted list on all distros.

@h-haaks
Copy link
Contributor Author

h-haaks commented Jun 5, 2024

Seems to be some issues with 'distrust' on el9 surfacing because I've added integration tests that verifies the generated trust list.
I'm looking into this now.

@h-haaks h-haaks force-pushed the support-distrust-for-debian branch 2 times, most recently from fae369e to 124031e Compare June 5, 2024 17:25
@h-haaks h-haaks changed the title Support distrusting ca's on Debian; Changed ca_cert::ca parameter names and meaning Support distrusting ca's on Debian; Changed ca_cert and ca_cert::ca parameter names and meaning Jun 5, 2024
@h-haaks h-haaks changed the title Support distrusting ca's on Debian; Changed ca_cert and ca_cert::ca parameter names and meaning Support distrusting ca's on Debian; Changed ca_cert::ca parameter names and meaning Jun 5, 2024
@h-haaks h-haaks force-pushed the support-distrust-for-debian branch 2 times, most recently from 578c31a to 555e05b Compare June 5, 2024 18:09
kenyon
kenyon reviewed Jun 5, 2024
View reviewed changes
manifests/init.pp Outdated
@@ -34,6 +34,10 @@
# Absolute directory path to the folder containing distrusted certificates.
# Default provided by Hiera for supported Operating Systems.
#
# @param ca_certificates_conf
# Some distros uses a configuration file to mark distrusted certificates.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
# Some distros uses a configuration file to mark distrusted certificates.
# Some distros use a configuration file to mark distrusted certificates.

@h-haaks h-haaks force-pushed the support-distrust-for-debian branch from 555e05b to 6dd5a4d Compare June 5, 2024 18:24
@h-haaks h-haaks merged commit 79cfb7a into voxpupuli:master Jun 5, 2024
23 checks passed
@h-haaks h-haaks deleted the support-distrust-for-debian branch June 5, 2024 18:28
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kenyon kenyon kenyon approved these changes

Assignees
No one assigned
Labels
backwards-incompatible enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Support distrusting ca's on Debian family
2 participants
@h-haaks @kenyon