Mercurial > repos > other > Puppet
changeset 136:765e72629b3e puppet-3.6
Fix "direct under CA" custom conditions and sites that use "cert named after domain" pattern
The 'undef' value coerces to empty string, so "$var == undef" becomes
"$var == ''", which broke our logic. Puppet 3 doesn't have a prettier solution
| author | IBBoard <dev@ibboard.co.uk> |
|---|---|
| date | Fri, 11 Nov 2016 21:04:13 +0000 |
| parents | b3f6c7a910d0 |
| children | 4f9bc88a426a |
| files | modules/website/manifests/https.pp modules/website/manifests/https/redir.pp |
| diffstat | 2 files changed, 54 insertions(+), 4 deletions(-) [+] |
line wrap: on
line diff
--- a/modules/website/manifests/https.pp Fri Nov 11 21:02:09 2016 +0000 +++ b/modules/website/manifests/https.pp Fri Nov 11 21:04:13 2016 +0000 @@ -69,15 +69,40 @@ $siteroot = $docroot } - if $ssl_cert == undef { +# These conditionals use an ugly cludge from +# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi +# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case +# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html), +# but that threw syntax errors. + if $ssl_cert == undef and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" + } elsif $ssl_cert == undef { + $sslcert = "${website::certdir}/${shortdomain}.crt" + $sslkey = "${website::certdir}/${shortdomain}.key" + File { + mode => '0400', + owner => 'root', + group => 'root', + } + file { $sslcert: + source => "puppet:///private/pki/custom/${shortdomain}.crt", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } + file { $sslkey: + source => "puppet:///private/pki/custom/${shortdomain}.key", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } } else { $sslcert = $ssl_cert $sslkey = $ssl_key } - if $ssl_ca_chain == undef { + if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { $ssl_chain = $website::ca_chain } elsif $ssl_ca_chain == '' {
--- a/modules/website/manifests/https/redir.pp Fri Nov 11 21:02:09 2016 +0000 +++ b/modules/website/manifests/https/redir.pp Fri Nov 11 21:04:13 2016 +0000 @@ -34,15 +34,40 @@ $siteroot = $docroot } - if $ssl_cert == undef { +# These conditionals use an ugly cludge from +# http://grokbase.com/t/gg/puppet-users/147by1key3/checking-a-variable-is-not-undef#20140713grem6zqsai7qjbgkmd2f4ia3qi +# because if we don't then undef gets auto-cast to the empty string and the empty string matches our special "no CA chain" case +# It'd be nicer to use "=~ Undef" to check types (https://puppet-on-the-edge.blogspot.co.uk/2013/12/lets-talk-about-undef.html), +# but that threw syntax errors. + if $ssl_cert == undef and !("" in [$ssl_cert]) and $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { $sslcert = "/etc/letsencrypt/live/${::fqdn}/cert.pem" $sslkey = "/etc/letsencrypt/live/${::fqdn}/privkey.pem" + } elsif $ssl_cert == undef and !("" in [$ssl_cert]) { + $sslcert = "${website::certdir}/${shortdomain}.crt" + $sslkey = "${website::certdir}/${shortdomain}.key" + File { + mode => '0400', + owner => 'root', + group => 'root', + } + file { $sslcert: + source => "puppet:///private/pki/custom/${shortdomain}.crt", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } + file { $sslkey: + source => "puppet:///private/pki/custom/${shortdomain}.key", + before => Apache::Vhost[$name], + notify => Service['httpd'], + ensure => present; + } } else { $sslcert = $ssl_cert $sslkey = $ssl_key } - if $ssl_ca_chain == undef { + if $ssl_ca_chain == undef and !("" in [$ssl_ca_chain]) { $ssl_chain = $website::ca_chain } elsif $ssl_ca_chain == '' {