139 lines
3.3 KiB
Puppet
139 lines
3.3 KiB
Puppet
|
|
# Helper class which defines cert and private directories.
|
|
#
|
|
class ssl {
|
|
|
|
case $::operatingsystem {
|
|
"centos","redhat","fedora": {
|
|
$certs = "/etc/pki/tls/certs"
|
|
$private = "/etc/pki/tls/private"
|
|
}
|
|
"openbsd": {
|
|
$certs = "/etc/ssl"
|
|
$private = "/etc/ssl/private"
|
|
}
|
|
"debian","ubuntu": {
|
|
$certs = "/etc/ssl/certs"
|
|
$private = "/etc/ssl/private"
|
|
package { "ssl-cert":
|
|
ensure => installed,
|
|
}
|
|
}
|
|
default: {
|
|
fail("Class ssl not supported on ${::operatingsystem}")
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Install OpenSSL.
|
|
#
|
|
class ssl::openssl {
|
|
|
|
if $::operatingsystem != "OpenBSD" {
|
|
package { "openssl":
|
|
ensure => installed,
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Create self-signed certificate.
|
|
#
|
|
# === Parameters:
|
|
#
|
|
# $name:
|
|
# Certificate output file.
|
|
# $cn:
|
|
# Common name.
|
|
# $mode, $owner, $group:
|
|
# Certificate file permissions.
|
|
# $keyout:
|
|
# Key output file. Defaults to ${name}.
|
|
# $keymode, $keyowner, $keygroup:
|
|
# Key file permissions.
|
|
# $days:
|
|
# Validity in days, defaults to 3650.
|
|
# $keysize:
|
|
# RSA key size, defaults to 2048.
|
|
# $subject:
|
|
# Extra subject information.
|
|
#
|
|
define ssl::certificate($cn, $mode, $owner, $group,
|
|
$keyout="", $keymode="", $keyowner="", $keygroup="",
|
|
$days="3650", $keysize="2048", $subject="") {
|
|
|
|
include ssl::openssl
|
|
|
|
if $keyout {
|
|
$keyout_real = $keyout
|
|
if !$keymode or !$keyowner or !$keygroup {
|
|
fail("\$keymode, \$keyowner and \$keygroup must be defined.")
|
|
}
|
|
} else {
|
|
$keyout_real = $name
|
|
}
|
|
|
|
if $subject {
|
|
$subject_real = "/CN=${cn}/${subject}"
|
|
} else {
|
|
$subject_real = "/CN=${cn}"
|
|
}
|
|
|
|
exec { "openssl-req-${name}":
|
|
path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin",
|
|
command => "/bin/sh -c 'umask 077 ; openssl req -x509 -nodes -days ${days} -newkey rsa:${keysize} -subj \"${subject_real}\" -keyout ${keyout_real} -out ${name}'",
|
|
creates => [ $name, $keyout_real ],
|
|
}
|
|
|
|
file { $name:
|
|
ensure => present,
|
|
mode => $mode,
|
|
owner => $owner,
|
|
group => $group,
|
|
require => Exec["openssl-req-${name}"],
|
|
}
|
|
|
|
if $keyout {
|
|
file { $keyout:
|
|
ensure => present,
|
|
mode => $keymode,
|
|
owner => $keyowner,
|
|
group => $keygroup,
|
|
require => Exec["openssl-req-${name}"],
|
|
}
|
|
}
|
|
|
|
}
|
|
|
|
|
|
# Create DH parameters.
|
|
#
|
|
# === Parameters:
|
|
#
|
|
# $name:
|
|
# Output file.
|
|
# $mode, $owner, $group:
|
|
# Output file permissions.
|
|
# $keysize:
|
|
# Key size. Defaults to 1024.
|
|
#
|
|
define ssl::dhparam($mode, $owner, $group, $keysize="1024") {
|
|
|
|
exec { "openssl-dhparam-${name}":
|
|
path => "/bin:/usr/bin:/usr/local/bin:/sbin:/usr/sbin:/usr/local/sbin",
|
|
command => "/bin/sh -c 'umask 077 ; openssl dhparam -out ${name} ${keysize}'",
|
|
creates => $name,
|
|
}
|
|
|
|
file { $name:
|
|
ensure => present,
|
|
mode => $mode,
|
|
owner => $owner,
|
|
group => $group,
|
|
require => Exec["openssl-dhparam-${name}"],
|
|
}
|
|
|
|
}
|