From 3f81ab5452ec7ebfc67675c76f59c4c4fbac9dca Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Mon, 6 May 2024 13:32:47 -0400 Subject: [PATCH 1/2] Drop absent file declarations --- manifests/ca.pp | 10 ---------- manifests/candlepin.pp | 34 ---------------------------------- 2 files changed, 44 deletions(-) diff --git a/manifests/ca.pp b/manifests/ca.pp index 4ae9f67e..05dc00cd 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -23,10 +23,6 @@ ) { $server_ca_path = "${certs::ssl_build_dir}/${server_ca_name}.crt" - file { "${certs::pki_dir}/private/${default_ca_name}.pwd": - ensure => absent, - } - file { $ca_key_password_file: ensure => file, content => $ca_key_password, @@ -76,12 +72,6 @@ } if $deploy { - # Ensure CA key deployed to /etc/pki/katello/private no longer exists - # The CA key is not used by anything from this directory and does not need to be deployed - file { $ca_key: - ensure => absent, - } - file { $certs::katello_default_ca_cert: ensure => file, source => "${certs::ssl_build_dir}/${default_ca_name}.crt", diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 94be573b..473c5d7b 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -28,24 +28,6 @@ $java_client_cert_name = 'java-client' $artemis_alias = 'artemis-client' $artemis_client_dn = $certs::foreman::client_dn - - cert { $java_client_cert_name: - ensure => absent, - hostname => $hostname, - cname => $cname, - country => $country, - state => $state, - city => $city, - org => 'candlepin', - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } - $tomcat_cert_name = "${hostname}-tomcat" cert { $tomcat_cert_name: @@ -89,22 +71,6 @@ key_decrypt => true, } - file { "${pki_dir}/private/katello-tomcat.key": - ensure => absent, - } - - file { "${pki_dir}/certs/katello-tomcat.crt": - ensure => absent, - } - - file { "${pki_dir}/private/${java_client_cert_name}.key": - ensure => absent, - } - - file { "${pki_dir}/certs/${java_client_cert_name}.crt": - ensure => absent, - } - file { $keystore_password_path: ensure => file, content => $keystore_password, From 0e25381ea52c9fdda1bd3c279177f01fac5696e0 Mon Sep 17 00:00:00 2001 From: "Eric D. Helms" Date: Mon, 6 May 2024 13:28:35 -0400 Subject: [PATCH 2/2] Use puppet-openssl to handle the backend --- .fixtures.yml | 11 +- .../katello-default-ca.crt | 40 ++++++ .../katello-default-ca.key | 54 ++++++++ .../katello-default-ca.pwd | 1 + .../katello-server-ca.crt | 40 ++++++ manifests/apache.pp | 76 ++++++----- manifests/ca.pp | 83 ++++++------ manifests/candlepin.pp | 53 +++++--- manifests/foreman.pp | 52 +++++--- manifests/foreman_proxy.pp | 120 ++++++++++-------- manifests/init.pp | 4 +- manifests/puppet.pp | 52 +++++--- spec/acceptance/apache_spec.rb | 6 +- spec/acceptance/candlepin_spec.rb | 12 +- spec/acceptance/certs_tar_extract_spec.rb | 4 +- spec/acceptance/foreman_proxy_spec.rb | 14 +- spec/acceptance/foreman_spec.rb | 6 +- spec/acceptance/migration_spec.rb | 66 ++++++++++ spec/acceptance/puppet_spec.rb | 6 +- 19 files changed, 488 insertions(+), 212 deletions(-) create mode 100644 fixtures/katello-certs-tool-ca/katello-default-ca.crt create mode 100644 fixtures/katello-certs-tool-ca/katello-default-ca.key create mode 100644 fixtures/katello-certs-tool-ca/katello-default-ca.pwd create mode 100644 fixtures/katello-certs-tool-ca/katello-server-ca.crt create mode 100644 spec/acceptance/migration_spec.rb diff --git a/.fixtures.yml b/.fixtures.yml index 3eccfa02..375dedf5 100644 --- a/.fixtures.yml +++ b/.fixtures.yml @@ -1,6 +1,9 @@ fixtures: repositories: - extlib: "https://github.com/voxpupuli/puppet-extlib" - foreman: "https://github.com/theforeman/puppet-foreman" - redis: "https://github.com/voxpupuli/puppet-redis" - stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" + extlib: "https://github.com/voxpupuli/puppet-extlib" + foreman: "https://github.com/theforeman/puppet-foreman" + openssl: + repo: "https://github.com/ehelms/puppet-openssl" + branch: "ca-password" + redis: "https://github.com/voxpupuli/puppet-redis" + stdlib: "https://github.com/puppetlabs/puppetlabs-stdlib" diff --git a/fixtures/katello-certs-tool-ca/katello-default-ca.crt b/fixtures/katello-certs-tool-ca/katello-default-ca.crt new file mode 100644 index 00000000..a881a341 --- /dev/null +++ b/fixtures/katello-certs-tool-ca/katello-default-ca.crt @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIG/zCCBOegAwIBAgIUEJSPbzfROxOw3z7dxrx7JZ8DmvEwDQYJKoZIhvcNAQEL +BQAwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G +A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9y +Z1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb20wHhcNMjQwNTIw +MjIzNTI5WhcNMzgwMTE3MjIzNTI5WjCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgM +Dk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRl +bGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEfMB0GA1UEAwwWY2VudG9zOC02NC5l +eGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALaSYmvi +t4ocOb2h71lqfCx/e/11I+uA9JIYvdYv3JIDgyXqqM6hLJJZU0rHEcVcE+dUDw2L +UB2Sg+S1vXM4LhpBTKUvXpc6tlDFPNUszifIlk6+mOVu7T1ls070PWQbQ9oRyebV +nlnXjb7ffObcVWGHZTci8kyAXwOjiDKQF2KqBBc3PpppuFNFw8wEASfCgCVerTBa +ViFn6E6psikhe1j92cwPfJun/bVreNdoPNwsLJ6D6jm5sIpms6LdwEScRuweB3OG +5vmsb/7m35yvv35jypI1o4PtwJxHxcDHphnC3d8iNrBZ8kS8XpCIIWtQI5M3Ofb8 +wvwKzyLt/r8mvI6GKm6/IwoK2k1nNGw22XUKdwWdAGgId4tdhXAfVuIUsvTmv9ce +m4nhmf32r2GGnIVAOQy7ZuBTh/7zXsFgVd6xl/nA8vOUYNEzlY+uC/jv/jeFQSyG +LcURzrsFEMya1Tl1S5UhIYI2LqCqywkF4EbY8VBijroX/EOK51Rf8i0A4GUS6E2i +EvMnhNXXnmpFKx60stABYBRIuXzF0kOufuO2DPPpvyQ5dR24e6gGnND9o83lUh58 +mjuUwhCqnwEwg6N54HVas7nPG5lcLWPgcAxWnIHdmIeSgsrEVoRBUQUvqvX2iilw +dSoKq9UiKsht1pQV2AspJ0VSxS0WbYcCwLihAgMBAAGjggFrMIIBZzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxvIFNT +TCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUNlbGdCK5ZAa9 +N7gZPsS0FSO5t9kwgcEGA1UdIwSBuTCBtoAUNlbGdCK5ZAa9N7gZPsS0FSO5t9mh +gYekgYQwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQ +MA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29t +ZU9yZ1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb22CFBCUj283 +0TsTsN8+3ca8eyWfA5rxMA0GCSqGSIb3DQEBCwUAA4ICAQBvhQKiEmKr9oGpgTQ3 +MHg+5iJsFyLL5IPN7JHp8tuFzX5+pHaLl4sgmNIOVxL1Ft4I0JkgPimFViqsJPAz +trUl5mZBW1MchA7H7+Qi/ZCctpk0fi04WeM+O0tpm9OPzlGGL5mQekCDQ1S7p+3M +xnk+rnIT6nmgqV5rg9cM+228Rd4cngU3HNsM8xx91UXKjz5eL9DIotl3iVU9wsQ1 +X1Pi6+qHMPp7JrXBYmqbxTCDupBWpgWYyb4uw63TO/MVQBjck9RLgx3++hR7WUnC +VG0ONFPN41InSu+0EdA0fbM7zC3MjlwsX3WSPI39THRVQfyRrrglPMlt7bW8d5eb +gILD/e0kn1J0OmFchj5v3eUWdbCMnKCelJkhlwDGpirRu+kXRKy0zFGDkR+z8kvz +YBIdDEFyJ4qINAWNP4HHQkHUd/aDpHSbfAojVwEj1lsdHO4LJqpBp/LulBPm86D7 +hBj86kv7YqXn/vOlZ4iGAoeA94PXORABZdPIlfkLGTRbHRPp2BcT06piwB8hwaAL +XrjWptfB3C1CFn81K86m6aBAkz83EYC+YkED23HVpUwpDEaViuDtUt74SfxuvW8H +/W+sZzlezCgwdIpkuC9M64HyHPuIuIbu0zZVSeMHvHwEbRMJeq3rwOZsuPLDkT3K +gxbEhBEPxtdiAzmH3W9+isXTng== +-----END CERTIFICATE----- diff --git a/fixtures/katello-certs-tool-ca/katello-default-ca.key b/fixtures/katello-certs-tool-ca/katello-default-ca.key new file mode 100644 index 00000000..987eafbc --- /dev/null +++ b/fixtures/katello-certs-tool-ca/katello-default-ca.key @@ -0,0 +1,54 @@ +-----BEGIN ENCRYPTED PRIVATE KEY----- +MIIJrTBXBgkqhkiG9w0BBQ0wSjApBgkqhkiG9w0BBQwwHAQIOklCZ8PO84QCAggA +MAwGCCqGSIb3DQIJBQAwHQYJYIZIAWUDBAEqBBBr1RbWYKKKaEbyQpATz7vABIIJ +UEEj0gg4PP+JNEwcroBIvyNWaa+dTaOWQGp6yt6ewHpXB9a1gclci4XbyX7Jtw8S +WTOSR1vGrOARFTgLoXMLwy/XEKvm0ljKdWt8P1OMcYvbQnMvxs3Wq2xB7XIpF0iL +2/M2MD8c7OFEutJ583uXfyT2PjJjbHR+GQf0feeef5Q8s4s92+QNEGclFDqwWYOK +3zpINt6JD2XuyoLuJQW0NfsMZxy8FbefOrV4ThEunxQ8dfmBMrGEn5i2yylzqNLN +oR6Zlk/0LYBGgSNAMfCBSyTscHed0kwr4ggI7EUcjEd7q1eSDLFIh9jEpGook18e +eczkIu3BR5EcQafnnCn9+qNwDwFcbTxtSly7ol6zMaRas/ABja+ULHVoD31elI77 +6hGCQNTDwywn4sq5JAMC23A4uqVvHZBh5+kF/cr+YeItOZgVqj3gL1PxK0yZRoL9 +aHmqvYykvBnyrrIhaP08uCRGp7n6mzpx+oxyfXvzByOVwFw7TFe3sgiBPDzxwzGt +3qumvdQWhDoOa6bdoiaVou/dWrWOIWj+qpCPF3GZRzCDDBMMVSmtzncDJw20cBXG +7PwcMEqhFLkrxGCh0i6yHGxH8djxIxdkzsjd1GStLEdooRk4tuyfblu3teizM7sb +OtjR6anCpEZpil83q/o3CUs/9jNsJ9DxoYERUSONzUStpCWHHZwpPjx88BTCLch+ +USO8XbhbVMccSp2ZdRrjxjhpR1Wc3sjwprVmcGBlvaOhOA3tg+AIi8dQwWEUxN34 +1EQqKbdtcKNvaj2SrM7+ljG9CxO4N13UfE0SNAihDsFFT7Br8C+0cf4Io4egvY2N +eEjlZUSaY2xkCzKpkHb/fH3CGQvh9sGx5/FCHqM0dqveqKKhKwUcNNTSa869My8h +7VmhtGIhkpZBaX8U1LM2fa1n6MH/6rYQbWqtikYvbsSGTOjsVAUjd0/2nrKi3o6G +H1wofcZVW9QaOlyjM1cdSBBGlPxmDL90NUcRmj5agNuWRLHLEC8vB++MlfBp4Y2K +Jax+wtYlrSFeBkYbPwvjUHFkRNxT0PBtegRd9WCFosNbgyRAHQRwwZw1cvIPy/92 +fMsTwImQ52vpjyWlN9qZmUsintZ8ChHaPLAeZ04KRU2Y05UwzmQrxHySCaCcuTjp +Ge5cVrkqkfL2KnCGbkigyoK88v+2LdCWs1HI64mVNGFgLNdPXIDe01YpdkqtYuB+ +2e7PrbacFYjKSbQllZ95TvMSZ6KVr3BX9AVot68epR+JpNg+6DS9liz+Mgj+113A +SQqDw7wPeAjNudrRBnaaaQx4wuYrqNEBJR6PjgzbMBymtaSCFzBGYfSqJb4BXaBS +XTBYsxtXyyQSZjLRKg19ljIIowC/E4NKG4ftwmbWSauyIQnW0cjDFiuQNUqSQLI+ +FmCsXU4+VLfSQc7TOfdRi8fLNy9wcChWreSXj8eM5pWJnYpBc/hFEpQndTFwmzqw +wZEOBpBN0TzlQLy5zhK3ukEk5+aSn0GZyMiSr104bGwIzI9tg9eX3qWvyZe2DLyb +IOBnYW2cr5O+RUDLV7fWE9s9/RLNNLYJPFl6fdTjzqPjP8wyFe1StUYa+xXjzsm0 +ZPc4GedK5gfy79sSSsNblXx7EWRPjA6cTmAA6xmI0pF4HbuQBIUyPBkqbmlaCGxA +ex8N+dlWFjaRW7CWwoXYlYqE+iuhGcmplnfxk0AxlawfNdFjc6LMRvA7fchMqaXV +n+95YVrrU1e6f/oTFKwBRlVpb4ii0f8Udj+6aEg5xMPiib2omGX5yvNBR3w4xT5c +a6i3usk3E4akD9SaXLLCP80qEuELMhINiEyH97bnj+KfKFT4EOLCg+943ESsI0yD +b2bGnM6w744uQtRDjvXIQMorz4t+ouHCWGmmKUJzh2Bt8ekFis+H3X8y4WKvB5mU +SyFycGLlKM/ZgAXeFT9k2Kov8sBYIEycx4+bhL7L5CqF53xf4Q1WoHcM8ONhqGr9 +/YLM9ImYtto9li8Zlb8mYCUZGZfLK0MSd4QXqVzcV47kSOOtQLVM5KXpjR/zvEgc +945XxLFXBvSKwqcNrmXjAa3PNbu7jIj1Ks5KFc9XlRhG8mya3ik7NKGG1DOXdsjt +FesUyn4OyP5nxjHW+64l4A06zUZoEeeJgxoPNs31ZmoWmSkVUDP+cXJUBhkc5UnX +YwShsw7EWzZI48Wmivo6yuqFPB1+VYyPk0iMRWctF3r31qSFrKYx+e3Juk/jUuUt +Z6qqE1eKd+/loOgg8nzOqCwHKbvI4wugQYuEgu4ANkNV+/SLqpxlwy8s2XF0cpUg +RoJOT37dr/n6zH2mdQHUhUuh4iQAX1fL34IDxuefFYA+bqx8ln8iOv16qIeOjyny +wuqo0SYDMBjZBIHxUQ9T4Y6CZ/nyfb89v5FJEuMmH22bUy/KMgasWZ7sFhE7/31G +E0FCWGtDsEIvNoAVEsDsSWHcYSvxNOaIMOtfvz8Ya09US3+fLIohbuDbXmeHflKo +L1cjvhH/caUulhqtF6AMtlAV4sRcdxyZfcA8HkHpRJSnJe2IabLLowCESnlOgCgt +RWvsTrSaglTL1/UeNe5aI01WYEwFb4N/ADtzUOqmYNpdxbLPwfQ3QazQ1co3SMXq +h1nbiCjZXxQaMzEKNlxxPGYAmqpk6opZy6bgN+GorI5kjyrqGlkILJH0GdHM4EwF +ZAL/SwjXdypHrl9gSjFxorL2dwFofmPTThgrujA0oD9X8ccQnDVzfcYKhgtJteFQ +zaeNljAsfuUY2Sqyf5VxSwtlHrOOBNjVbi+RFg57znpXKSWbno3I4JimVaqR6Qly +lE+bj1xIfrf/71FKj8EshthQhWBwjxf1eFg9lq3UEeuOEDIJH4ZcrBcYwLeVSmiZ +i+tiHnfqeU8/sFAQFYVBtsDZhDYV9Cr2bYHYYDvf4tSo8jf0xI0YLQVw/8iobld2 +7rATD7ho9h6GE7UaU0OMePivGXJpK1If4IJUi6UCF+ibiILREehSBUmR9oE5jQrz +GRL8zu4/8sP+mw9LA0sxL5DG0eX6x/lJ4VTMFAlUiJH5DWt5bW9zNke5rMnTrBmN +spQ/vkC1W5YTH9RY5H6d5Sa1ft/OJbWqrbxAB5U73YCx4a18lb0r6Nkqb8JcYUCU +FamldCh+SbP3xYt9Mn7COqEM6jyUNyjXW8zew8Ksm9Ii +-----END ENCRYPTED PRIVATE KEY----- diff --git a/fixtures/katello-certs-tool-ca/katello-default-ca.pwd b/fixtures/katello-certs-tool-ca/katello-default-ca.pwd new file mode 100644 index 00000000..99a0d4bf --- /dev/null +++ b/fixtures/katello-certs-tool-ca/katello-default-ca.pwd @@ -0,0 +1 @@ +WJiNgAHTJia2249gwxCGk9VT diff --git a/fixtures/katello-certs-tool-ca/katello-server-ca.crt b/fixtures/katello-certs-tool-ca/katello-server-ca.crt new file mode 100644 index 00000000..a881a341 --- /dev/null +++ b/fixtures/katello-certs-tool-ca/katello-server-ca.crt @@ -0,0 +1,40 @@ +-----BEGIN CERTIFICATE----- +MIIG/zCCBOegAwIBAgIUEJSPbzfROxOw3z7dxrx7JZ8DmvEwDQYJKoZIhvcNAQEL +BQAwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQMA4G +A1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29tZU9y +Z1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb20wHhcNMjQwNTIw +MjIzNTI5WhcNMzgwMTE3MjIzNTI5WjCBgTELMAkGA1UEBhMCVVMxFzAVBgNVBAgM +Dk5vcnRoIENhcm9saW5hMRAwDgYDVQQHDAdSYWxlaWdoMRAwDgYDVQQKDAdLYXRl +bGxvMRQwEgYDVQQLDAtTb21lT3JnVW5pdDEfMB0GA1UEAwwWY2VudG9zOC02NC5l +eGFtcGxlLmNvbTCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBALaSYmvi +t4ocOb2h71lqfCx/e/11I+uA9JIYvdYv3JIDgyXqqM6hLJJZU0rHEcVcE+dUDw2L +UB2Sg+S1vXM4LhpBTKUvXpc6tlDFPNUszifIlk6+mOVu7T1ls070PWQbQ9oRyebV +nlnXjb7ffObcVWGHZTci8kyAXwOjiDKQF2KqBBc3PpppuFNFw8wEASfCgCVerTBa +ViFn6E6psikhe1j92cwPfJun/bVreNdoPNwsLJ6D6jm5sIpms6LdwEScRuweB3OG +5vmsb/7m35yvv35jypI1o4PtwJxHxcDHphnC3d8iNrBZ8kS8XpCIIWtQI5M3Ofb8 +wvwKzyLt/r8mvI6GKm6/IwoK2k1nNGw22XUKdwWdAGgId4tdhXAfVuIUsvTmv9ce +m4nhmf32r2GGnIVAOQy7ZuBTh/7zXsFgVd6xl/nA8vOUYNEzlY+uC/jv/jeFQSyG +LcURzrsFEMya1Tl1S5UhIYI2LqCqywkF4EbY8VBijroX/EOK51Rf8i0A4GUS6E2i +EvMnhNXXnmpFKx60stABYBRIuXzF0kOufuO2DPPpvyQ5dR24e6gGnND9o83lUh58 +mjuUwhCqnwEwg6N54HVas7nPG5lcLWPgcAxWnIHdmIeSgsrEVoRBUQUvqvX2iilw +dSoKq9UiKsht1pQV2AspJ0VSxS0WbYcCwLihAgMBAAGjggFrMIIBZzAMBgNVHRME +BTADAQH/MAsGA1UdDwQEAwIBpjAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH +AwIwEQYJYIZIAYb4QgEBBAQDAgJEMDUGCWCGSAGG+EIBDQQoFiZLYXRlbGxvIFNT +TCBUb29sIEdlbmVyYXRlZCBDZXJ0aWZpY2F0ZTAdBgNVHQ4EFgQUNlbGdCK5ZAa9 +N7gZPsS0FSO5t9kwgcEGA1UdIwSBuTCBtoAUNlbGdCK5ZAa9N7gZPsS0FSO5t9mh +gYekgYQwgYExCzAJBgNVBAYTAlVTMRcwFQYDVQQIDA5Ob3J0aCBDYXJvbGluYTEQ +MA4GA1UEBwwHUmFsZWlnaDEQMA4GA1UECgwHS2F0ZWxsbzEUMBIGA1UECwwLU29t +ZU9yZ1VuaXQxHzAdBgNVBAMMFmNlbnRvczgtNjQuZXhhbXBsZS5jb22CFBCUj283 +0TsTsN8+3ca8eyWfA5rxMA0GCSqGSIb3DQEBCwUAA4ICAQBvhQKiEmKr9oGpgTQ3 +MHg+5iJsFyLL5IPN7JHp8tuFzX5+pHaLl4sgmNIOVxL1Ft4I0JkgPimFViqsJPAz +trUl5mZBW1MchA7H7+Qi/ZCctpk0fi04WeM+O0tpm9OPzlGGL5mQekCDQ1S7p+3M +xnk+rnIT6nmgqV5rg9cM+228Rd4cngU3HNsM8xx91UXKjz5eL9DIotl3iVU9wsQ1 +X1Pi6+qHMPp7JrXBYmqbxTCDupBWpgWYyb4uw63TO/MVQBjck9RLgx3++hR7WUnC +VG0ONFPN41InSu+0EdA0fbM7zC3MjlwsX3WSPI39THRVQfyRrrglPMlt7bW8d5eb +gILD/e0kn1J0OmFchj5v3eUWdbCMnKCelJkhlwDGpirRu+kXRKy0zFGDkR+z8kvz +YBIdDEFyJ4qINAWNP4HHQkHUd/aDpHSbfAojVwEj1lsdHO4LJqpBp/LulBPm86D7 +hBj86kv7YqXn/vOlZ4iGAoeA94PXORABZdPIlfkLGTRbHRPp2BcT06piwB8hwaAL +XrjWptfB3C1CFn81K86m6aBAkz83EYC+YkED23HVpUwpDEaViuDtUt74SfxuvW8H +/W+sZzlezCgwdIpkuC9M64HyHPuIuIbu0zZVSeMHvHwEbRMJeq3rwOZsuPLDkT3K +gxbEhBEPxtdiAzmH3W9+isXTng== +-----END CERTIFICATE----- diff --git a/manifests/apache.pp b/manifests/apache.pp index 61b466ac..45ae27c5 100644 --- a/manifests/apache.pp +++ b/manifests/apache.pp @@ -59,7 +59,7 @@ String $city = $certs::city, String $org = $certs::org, String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, + Variant[Integer, String] $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, String $group = $certs::group, ) inherits certs { @@ -71,7 +71,7 @@ $apache_cert_path = "${certs::ssl_build_dir}/${hostname}/${apache_cert_name}" - if $server_cert { + if $generate { ensure_resource( 'file', "${certs::ssl_build_dir}/${hostname}", @@ -82,41 +82,47 @@ 'mode' => '0750', } ) - file { "${apache_cert_path}.crt": - ensure => file, - source => $server_cert, - owner => 'root', - group => 'root', - mode => '0440', - } - file { "${apache_cert_path}.key": - ensure => file, - source => $server_key, - owner => 'root', - group => 'root', - mode => '0440', - } - $require_cert = File["${apache_cert_path}.crt"] - } else { - cert { $apache_cert_name: - ensure => present, - hostname => $hostname, - cname => $cname, - country => $country, - state => $state, - city => $city, - org => $org, - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } + if $server_cert { + file { "${apache_cert_path}.crt": + ensure => file, + source => $server_cert, + owner => 'root', + group => 'root', + mode => '0440', + } + file { "${apache_cert_path}.key": + ensure => file, + source => $server_key, + owner => 'root', + group => 'root', + mode => '0440', + } + + $require_cert = File["${apache_cert_path}.crt"] + } else { + openssl::certificate::x509 { $apache_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => $org, + unit => $org_unit, + altnames => $cname, + extkeyusage => ['serverAuth', 'clientAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } - $require_cert = Cert[$apache_cert_name] + $require_cert = X509_cert["${apache_cert_path}.crt"] + } } if $deploy { diff --git a/manifests/ca.pp b/manifests/ca.pp index 05dc00cd..5cad6911 100644 --- a/manifests/ca.pp +++ b/manifests/ca.pp @@ -30,19 +30,35 @@ group => 'root', mode => '0400', show_diff => false, - } ~> - ca { $default_ca_name: - ensure => present, - common_name => $ca_common_name, - country => $country, - state => $state, - city => $city, - org => $org, - org_unit => $org_unit, - expiration => $ca_expiration, - generate => $generate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, + } + + openssl::config { "${certs::ssl_build_dir}/ca.cnf": + ensure => 'present', + commonname => $certs::node_fqdn, + country => $country, + state => $state, + locality => $city, + organization => $org, + unit => $org_unit, + default_keyfile => "${default_ca_name}.key", + basicconstraints => ['CA:true'], + keyusages => ['digitalSignature', 'keyEncipherment', 'keyCertSign', 'cRLSign'], + extendedkeyusages => ['serverAuth', 'clientAuth'], + } + + ssl_pkey { "${certs::ssl_build_dir}/${default_ca_name}.key": + ensure => 'present', + password => $ca_key_password, + size => '4096', + } + + x509_cert { "${certs::ssl_build_dir}/${default_ca_name}.crt": + ensure => 'present', + private_key => "${certs::ssl_build_dir}/${default_ca_name}.key", + days => $ca_expiration, + template => "${certs::ssl_build_dir}/ca.cnf", + password => $ca_key_password, + require => File["${certs::ssl_build_dir}/ca.cnf"], } if $certs::server_ca_cert { @@ -55,37 +71,32 @@ } } else { file { $server_ca_path: - ensure => file, - source => "${certs::ssl_build_dir}/${default_ca_name}.crt", - owner => 'root', - group => 'root', - mode => '0644', - } - } - - if $generate { - file { "${certs::ssl_build_dir}/KATELLO-TRUSTED-SSL-CERT": - ensure => link, - target => $server_ca_path, - require => File[$server_ca_path], + ensure => file, + source => "${certs::ssl_build_dir}/${default_ca_name}.crt", + owner => 'root', + group => 'root', + mode => '0644', + require => X509_cert["${certs::ssl_build_dir}/${default_ca_name}.crt"], } } if $deploy { file { $certs::katello_default_ca_cert: - ensure => file, - source => "${certs::ssl_build_dir}/${default_ca_name}.crt", - owner => 'root', - group => 'root', - mode => '0644', + ensure => file, + source => "${certs::ssl_build_dir}/${default_ca_name}.crt", + owner => 'root', + group => 'root', + mode => '0644', + require => X509_cert["${certs::ssl_build_dir}/${default_ca_name}.crt"], } file { $katello_server_ca_cert: - ensure => file, - source => $server_ca_path, - owner => $owner, - group => $group, - mode => '0644', + ensure => file, + source => $server_ca_path, + owner => $owner, + group => $group, + mode => '0644', + require => File[$server_ca_path], } } } diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp index 473c5d7b..3b2c5b49 100644 --- a/manifests/candlepin.pp +++ b/manifests/candlepin.pp @@ -17,7 +17,7 @@ String $city = $certs::city, String $org = $certs::org, String $org_unit = $certs::org_unit, - String $expiration = $certs::expiration, + Variant[String, Integer] $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, String $user = 'root', String $group = 'tomcat', @@ -25,26 +25,41 @@ ) inherits certs { include certs::foreman - $java_client_cert_name = 'java-client' $artemis_alias = 'artemis-client' - $artemis_client_dn = $certs::foreman::client_dn $tomcat_cert_name = "${hostname}-tomcat" + $tomcat_cert_path = "${certs::ssl_build_dir}/${hostname}/${tomcat_cert_name}" - cert { $tomcat_cert_name: - ensure => present, - hostname => $hostname, - cname => $cname, - country => $country, - state => $state, - city => $city, - org => $org, - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, + if $generate { + ensure_resource( + 'file', + "${certs::ssl_build_dir}/${hostname}", + { + 'ensure' => directory, + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0750', + } + ) + + openssl::certificate::x509 { $tomcat_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => $org, + unit => $org_unit, + altnames => $cname, + extkeyusage => ['serverAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } } $keystore_password = extlib::cache_data('foreman_cache_data', $keystore_password_file, extlib::random_password(32)) @@ -66,7 +81,7 @@ cert_owner => $user, cert_group => $group, cert_mode => '0440', - require => $certs::default_ca, + require => X509_cert["${tomcat_cert_path}.crt"], key_password_file => $ca_key_password_file, key_decrypt => true, } diff --git a/manifests/foreman.pp b/manifests/foreman.pp index 47e87f5f..380c914d 100644 --- a/manifests/foreman.pp +++ b/manifests/foreman.pp @@ -13,31 +13,47 @@ String $city = $certs::city, String $org = 'FOREMAN', String $org_unit = 'PUPPET', - String $expiration = $certs::expiration, + Variant[String, Integer] $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert, String $owner = 'root', String $group = 'foreman', ) inherits certs { $client_cert_name = "${hostname}-foreman-client" + $client_cert_path = "${certs::ssl_build_dir}/${hostname}/${client_cert_name}" $client_dn = "CN=${hostname}, OU=${org_unit}, O=${org}, ST=${state}, C=${country}" - # cert for authentication of puppetmaster against foreman - cert { $client_cert_name: - hostname => $hostname, - cname => $cname, - purpose => 'client', - country => $country, - state => $state, - city => $city, - org => $org, - org_unit => $org_unit, - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, + if $generate { + ensure_resource( + 'file', + "${certs::ssl_build_dir}/${hostname}", + { + 'ensure' => directory, + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0750', + } + ) + + openssl::certificate::x509 { $client_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => $org, + unit => $org_unit, + altnames => $cname, + extkeyusage => ['clientAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } } if $deploy { @@ -51,7 +67,7 @@ cert_owner => $owner, cert_group => $group, cert_mode => '0440', - require => Cert[$client_cert_name], + require => X509_cert["${client_cert_path}.crt"], } file { $ssl_ca_cert: diff --git a/manifests/foreman_proxy.pp b/manifests/foreman_proxy.pp index d7b2157e..2faddb52 100644 --- a/manifests/foreman_proxy.pp +++ b/manifests/foreman_proxy.pp @@ -25,7 +25,7 @@ String[2,2] $country = $certs::country, String $state = $certs::state, String $city = $certs::city, - String $expiration = $certs::expiration, + Variant[String, Integer] $expiration = $certs::expiration, Stdlib::Absolutepath $default_ca_cert = $certs::katello_default_ca_cert, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, String $group = 'foreman-proxy', @@ -38,8 +38,9 @@ $foreman_proxy_ssl_client_bundle = "${pki_dir}/private/${foreman_proxy_client_cert_name}-bundle.pem" $proxy_cert_path = "${certs::ssl_build_dir}/${hostname}/${proxy_cert_name}" + $foreman_proxy_client_cert_path = "${certs::ssl_build_dir}/${hostname}/${foreman_proxy_client_cert_name}" - if $server_cert { + if $generate { ensure_resource( 'file', "${certs::ssl_build_dir}/${hostname}", @@ -50,60 +51,69 @@ 'mode' => '0750', } ) - file { "${proxy_cert_path}.crt": - ensure => file, - source => $server_cert, - owner => 'root', - group => 'root', - mode => '0440', - } - file { "${proxy_cert_path}.key": - ensure => file, - source => $server_key, - owner => 'root', - group => 'root', - mode => '0440', - } - $require_cert = File["${proxy_cert_path}.crt"] - } else { - # cert for ssl of foreman-proxy - cert { $proxy_cert_name: - hostname => $hostname, - cname => $cname, - purpose => 'server', - country => $country, - state => $state, - city => $city, - org => 'FOREMAN', - org_unit => 'SMART_PROXY', - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, - } + if $server_cert { + file { "${proxy_cert_path}.crt": + ensure => file, + source => $server_cert, + owner => 'root', + group => 'root', + mode => '0440', + } + file { "${proxy_cert_path}.key": + ensure => file, + source => $server_key, + owner => 'root', + group => 'root', + mode => '0440', + } - $require_cert = Cert[$proxy_cert_name] - } + $require_cert = File["${proxy_cert_path}.crt"] + } else { + # cert for ssl of foreman-proxy + openssl::certificate::x509 { $proxy_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => 'FOREMAN', + unit => 'SMART_PROXY', + altnames => $cname, + extkeyusage => ['serverAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } - # cert for authentication of foreman_proxy against foreman - cert { $foreman_proxy_client_cert_name: - hostname => $hostname, - cname => $cname, - purpose => 'client', - country => $country, - state => $state, - city => $city, - org => 'FOREMAN', - org_unit => 'FOREMAN_PROXY', - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, + $require_cert = File["${proxy_cert_path}.crt"] + } + + # cert for authentication of foreman_proxy against foreman + openssl::certificate::x509 { $foreman_proxy_client_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => 'FOREMAN', + unit => 'FOREMAN_PROXY', + altnames => $cname, + extkeyusage => ['clientAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } } if $deploy { @@ -139,7 +149,7 @@ cert_owner => $owner, cert_group => $group, cert_mode => $public_key_mode, - require => Cert[$foreman_proxy_client_cert_name], + require => X509_cert["${foreman_proxy_client_cert_path}.crt"], } file { $foreman_ssl_ca_cert: @@ -159,7 +169,7 @@ owner => 'root', group => $group, mode => $public_key_mode, - require => Cert[$foreman_proxy_client_cert_name], + require => X509_cert["${foreman_proxy_client_cert_path}.crt"], } } } diff --git a/manifests/init.pp b/manifests/init.pp index a0d6015f..82b1f6c5 100644 --- a/manifests/init.pp +++ b/manifests/init.pp @@ -79,7 +79,7 @@ String $city = 'Raleigh', String $org = 'Katello', String $org_unit = 'SomeOrgUnit', - String $expiration = '7300', # 20 years + Variant[String, Integer] $expiration = 7300, # 20 years String $ca_expiration = '36500', # 100 years Optional[Stdlib::Absolutepath] $server_cert = undef, Optional[Stdlib::Absolutepath] $server_key = undef, @@ -122,6 +122,4 @@ Class['certs::install'] -> Class['certs::config'] -> Class['certs::ca'] - - $default_ca = Ca[$default_ca_name] } diff --git a/manifests/puppet.pp b/manifests/puppet.pp index 61b2bd28..4184675d 100644 --- a/manifests/puppet.pp +++ b/manifests/puppet.pp @@ -11,7 +11,7 @@ String[2,2] $country = $certs::country, String $state = $certs::state, String $city = $certs::city, - String $expiration = $certs::expiration, + Variant[String, Integer] $expiration = $certs::expiration, Stdlib::Absolutepath $ca_key_password_file = $certs::ca_key_password_file, Stdlib::Absolutepath $server_ca = $certs::katello_server_ca_cert, Stdlib::Absolutepath $pki_dir = $certs::pki_dir, @@ -19,23 +19,39 @@ String $group = 'puppet', ) inherits certs { $puppet_client_cert_name = "${hostname}-puppet-client" + $puppet_client_cert_path = "${certs::ssl_build_dir}/${hostname}/${puppet_client_cert_name}" - # cert for authentication of puppetmaster against foreman - cert { $puppet_client_cert_name: - hostname => $hostname, - cname => $cname, - purpose => 'client', - country => $country, - state => $state, - city => $city, - org => 'FOREMAN', - org_unit => 'PUPPET', - expiration => $expiration, - ca => $certs::default_ca, - generate => $generate, - regenerate => $regenerate, - password_file => $ca_key_password_file, - build_dir => $certs::ssl_build_dir, + if $generate { + ensure_resource( + 'file', + "${certs::ssl_build_dir}/${hostname}", + { + 'ensure' => directory, + 'owner' => 'root', + 'group' => 'root', + 'mode' => '0750', + } + ) + + openssl::certificate::x509 { $puppet_client_cert_name: + ensure => present, + commonname => $hostname, + country => $country, + state => $state, + locality => $city, + organization => 'FOREMAN', + unit => 'PUPPET', + altnames => $cname, + extkeyusage => ['clientAuth'], + days => $expiration, + base_dir => "${certs::ssl_build_dir}/${hostname}", + key_size => 4096, + force => true, + encrypted => false, + ca => "${certs::ssl_build_dir}/${certs::default_ca_name}.crt", + cakey => "${certs::ssl_build_dir}/${certs::default_ca_name}.key", + cakey_password => $certs::ca_key_password, + } } if $deploy { @@ -56,7 +72,7 @@ cert_owner => $owner, cert_group => $group, cert_mode => '0440', - require => Cert[$puppet_client_cert_name], + require => X509_cert["${puppet_client_cert_path}.crt"], } file { $ssl_ca_cert: diff --git a/spec/acceptance/apache_spec.rb b/spec/acceptance/apache_spec.rb index a57e60e1..f8bcd1a9 100644 --- a/spec/acceptance/apache_spec.rb +++ b/spec/acceptance/apache_spec.rb @@ -20,7 +20,7 @@ it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } its(:keylength) { should be >= 4096 } end @@ -35,7 +35,7 @@ it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } its(:keylength) { should be >= 4096 } end @@ -113,7 +113,7 @@ class { 'certs::apache': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } its(:keylength) { should be >= 4096 } end diff --git a/spec/acceptance/candlepin_spec.rb b/spec/acceptance/candlepin_spec.rb index 1c5e044a..cc8b204f 100644 --- a/spec/acceptance/candlepin_spec.rb +++ b/spec/acceptance/candlepin_spec.rb @@ -51,7 +51,7 @@ it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -78,7 +78,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -174,7 +174,7 @@ describe command("keytool -list -v -keystore /etc/candlepin/certs/keystore -alias tomcat -storepass $(cat #{keystore_password_file})") do its(:exit_status) { should eq 0 } - its(:stdout) { should match(/^Owner: CN=#{fqdn}, OU=SomeOrgUnit, O=Katello, ST=North Carolina, C=US$/) } + its(:stdout) { should match(/^Owner: CN=#{fqdn}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) } its(:stdout) { should match(/^Issuer: CN=#{fqdn}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) } end @@ -209,13 +209,13 @@ class { 'certs::candlepin': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = localhost/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = localhost/) } its(:keylength) { should be >= 4096 } end describe command("keytool -list -v -keystore /etc/candlepin/certs/keystore -alias tomcat -storepass $(cat #{keystore_password_file})") do its(:exit_status) { should eq 0 } - its(:stdout) { should match(/^Owner: CN=localhost, OU=SomeOrgUnit, O=Katello, ST=North Carolina, C=US$/) } + its(:stdout) { should match(/^Owner: CN=localhost, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) } its(:stdout) { should match(/^Issuer: CN=#{fqdn}, OU=SomeOrgUnit, O=Katello, L=Raleigh, ST=North Carolina, C=US$/) } end end @@ -323,7 +323,7 @@ class { 'certs::candlepin': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end diff --git a/spec/acceptance/certs_tar_extract_spec.rb b/spec/acceptance/certs_tar_extract_spec.rb index 5416108a..5354e2d7 100644 --- a/spec/acceptance/certs_tar_extract_spec.rb +++ b/spec/acceptance/certs_tar_extract_spec.rb @@ -46,7 +46,7 @@ class { 'certs': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = foreman-proxy.example.com/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman-proxy.example.com/) } its(:keylength) { should be >= 4096 } end @@ -61,7 +61,7 @@ class { 'certs': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = Katello, OU = SomeOrgUnit, CN = foreman-proxy.example.com/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = foreman-proxy.example.com/) } its(:keylength) { should be >= 4096 } end diff --git a/spec/acceptance/foreman_proxy_spec.rb b/spec/acceptance/foreman_proxy_spec.rb index 17d670e1..447263cf 100644 --- a/spec/acceptance/foreman_proxy_spec.rb +++ b/spec/acceptance/foreman_proxy_spec.rb @@ -29,7 +29,7 @@ it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -67,7 +67,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -105,7 +105,7 @@ it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -120,7 +120,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -135,7 +135,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -219,7 +219,7 @@ class { 'certs::foreman_proxy': it { should be_valid } it { should have_purpose 'server' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = SMART_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -234,7 +234,7 @@ class { 'certs::foreman_proxy': it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = FOREMAN_PROXY, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end diff --git a/spec/acceptance/foreman_spec.rb b/spec/acceptance/foreman_spec.rb index ea904a19..59d2a533 100644 --- a/spec/acceptance/foreman_spec.rb +++ b/spec/acceptance/foreman_spec.rb @@ -27,7 +27,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -71,7 +71,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -106,7 +106,7 @@ class { 'certs::foreman': it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end diff --git a/spec/acceptance/migration_spec.rb b/spec/acceptance/migration_spec.rb new file mode 100644 index 00000000..99525569 --- /dev/null +++ b/spec/acceptance/migration_spec.rb @@ -0,0 +1,66 @@ +require 'spec_helper_acceptance' + +describe 'certs' do + before(:all) do + on default, 'rm -rf /root/ssl-build' + source_path = "fixtures/katello-certs-tool-ca/" + dest_path = "/root/ssl-build/" + scp_to(hosts, source_path, dest_path) + end + + context 'with default params' do + describe x509_certificate('/root/ssl-build/katello-default-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + + describe x509_certificate('/root/ssl-build/katello-server-ca.crt') do + it { should be_certificate } + it { should be_valid } + it { should have_purpose 'SSL server CA' } + its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fact('fqdn')}/) } + its(:keylength) { should be >= 4096 } + end + + describe x509_private_key('/root/ssl-build/katello-default-ca.key') do + it { should be_encrypted } + end + + describe file('/root/ssl-build/katello-default-ca.pwd') do + it { should exist } + end + end + + context 'after applying certs should not change CA' do + before do + on default, 'cp -rf /root/ssl-build/ /root/ssl-build-backup' + on default, 'mkdir -p /opt/puppetlabs/puppet/cache/foreman_cache_data' + on default, 'cp /root/ssl-build/katello-default-ca.pwd /opt/puppetlabs/puppet/cache/foreman_cache_data/ca_key_password' + + @passwd = on(default, 'cat /root/ssl-build-backup/katello-default-ca.pwd').output.strip + @cert = on(default, 'cat /root/ssl-build-backup/katello-default-ca.crt').output + @key = on(default, 'cat /root/ssl-build-backup/katello-default-ca.key').output + end + + it_behaves_like 'an idempotent resource' do + let(:manifest) { 'include certs' } + end + + describe file('/root/ssl-build/katello-default-ca.pwd') do + its(:content) { should match(@passwd) } + end + + describe file('/root/ssl-build/katello-default-ca.crt') do + its(:content) { should match(@cert) } + end + + describe file('/root/ssl-build/katello-default-ca.key') do + its(:content) { should match(@key) } + end + end +end diff --git a/spec/acceptance/puppet_spec.rb b/spec/acceptance/puppet_spec.rb index 92600e82..a49f6275 100644 --- a/spec/acceptance/puppet_spec.rb +++ b/spec/acceptance/puppet_spec.rb @@ -25,7 +25,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -69,7 +69,7 @@ it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end @@ -104,7 +104,7 @@ class { 'certs::puppet': it { should be_valid } it { should have_purpose 'client' } its(:issuer) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = Katello, OU = SomeOrgUnit, CN = #{fqdn}/) } - its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } + its(:subject) { should match_without_whitespace(/C = US, ST = North Carolina, L = Raleigh, O = FOREMAN, OU = PUPPET, CN = #{fqdn}/) } its(:keylength) { should be >= 4096 } end