changeset 136:765e72629b3e puppet-3.6

Fix "direct under CA" custom conditions and sites that use "cert named after domain" pattern The 'undef' value coerces to empty string, so "$var == undef" becomes "$var == ''", which broke our logic. Puppet 3 doesn't have a prettier solution
author IBBoard <dev@ibboard.co.uk>
date Fri, 11 Nov 2016 21:04:13 +0000
parents b3f6c7a910d0
children 4f9bc88a426a
files modules/website/manifests/https.pp modules/website/manifests/https/redir.pp
diffstat 2 files changed, 54 insertions(+), 4 deletions(-) [+]
line wrap: on
line diff
--- a/modules/website/manifests/https.pp	Fri Nov 11 21:02:09 2016 +0000
+++ b/modules/website/manifests/https.pp	Fri Nov 11 21:04:13 2016 +0000
@@ -69,15 +69,40 @@
     $siteroot = $docroot
   }
 
-  if $ssl_cert == undef {
+# These conditionals use an ugly cludge from
+# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi
+# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
+# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
+# but that threw syntax errors.
+  if $ssl_cert == undef and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
     $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
+  } elsif $ssl_cert == undef {
+    $sslcert = "${website::certdir}/${shortdomain}.crt"
+    $sslkey = "${website::certdir}/${shortdomain}.key"
+    File {
+      mode => '0400',
+      owner => 'root',
+      group => 'root',
+    }
+    file { $sslcert:
+      source => "puppet:///private/pki/custom/${shortdomain}.crt",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
+    file { $sslkey:
+      source => "puppet:///private/pki/custom/${shortdomain}.key",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
   } else {
     $sslcert = $ssl_cert
     $sslkey = $ssl_key   
   }
 
-  if $ssl_ca_chain == undef {
+  if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $ssl_chain = $website::ca_chain
   }
   elsif $ssl_ca_chain == '' {
--- a/modules/website/manifests/https/redir.pp	Fri Nov 11 21:02:09 2016 +0000
+++ b/modules/website/manifests/https/redir.pp	Fri Nov 11 21:04:13 2016 +0000
@@ -34,15 +34,40 @@
     $siteroot = $docroot
   }
 
-  if $ssl_cert == undef {
+# These conditionals use an ugly cludge from
+# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi
+# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case
+# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html),
+# but that threw syntax errors.
+  if $ssl_cert == undef and !("" in [$ssl_cert]) and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem"
     $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem"
+  } elsif $ssl_cert == undef and !("" in [$ssl_cert]) {
+    $sslcert = "${website::certdir}/${shortdomain}.crt"
+    $sslkey = "${website::certdir}/${shortdomain}.key"
+    File {
+      mode => '0400',
+      owner => 'root',
+      group => 'root',
+    }
+    file { $sslcert:
+      source => "puppet:///private/pki/custom/${shortdomain}.crt",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
+    file { $sslkey:
+      source => "puppet:///private/pki/custom/${shortdomain}.key",
+      before => Apache::Vhost[$name],
+      notify => Service['httpd'],
+      ensure => present;
+    }
   } else {
     $sslcert = $ssl_cert
     $sslkey = $ssl_key
   } 
 
-  if $ssl_ca_chain == undef {
+  if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) {
     $ssl_chain = $website::ca_chain
   }
   elsif $ssl_ca_chain == '' {