Skip to content

Commit

Permalink
Add support to set SSLCARevocationCheck on Apache 2.4
Browse files Browse the repository at this point in the history 
Apache 2.4 needs an additional SSLCARevocationCheck directive to enable
checking of a CRL, e.g. for a Puppet master vhost.

See puppetlabs/puppet@b02af7e
for more background
  • Loading branch information
Dominic Cleal committed Sep 28, 2014
1 parent c54405e commit 309953a
Show file tree
Hide file tree
Showing 5 changed files with 84 additions and 56 deletions.
8 changes: 8 additions & 0 deletions README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,10 @@ The default certificate revocation list to use, which is automatically set to 'u

The default certificate revocation list path, which is automatically set to 'undef'. This default will work out of the box but must be updated with your specific certificate information before being used in production.

#####`default_ssl_crl_check`

Sets the default certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), which is automatically set to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions.

#####`default_ssl_key`

The default SSL key, which is automatically set based on your operating system ('/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD). This default will work out of the box but must be updated with your specific certificate information before being used in production.
Expand Down Expand Up @@ -1776,6 +1780,10 @@ Specifies the certificate revocation list to use. Defaults to 'undef'. (This def

Specifies the location of the certificate revocation list. Defaults to 'undef'. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.)

#####`ssl_crl_check`

Sets the certificate revocation check level via the [SSLCARevocationCheck directive](http://httpd.apache.org/docs/current/mod/mod_ssl.html#sslcarevocationcheck), defaults to 'undef'. This default will work out of the box but must be specified when using CRLs in production. Only applicable to Apache 2.4 or higher, the value will be ignored on older versions.

#####`ssl_key`

Specifies the SSL key. Defaults are based on your operating system: '/etc/pki/tls/private/localhost.key' for RedHat, '/etc/ssl/private/ssl-cert-snakeoil.key' for Debian, and '/usr/local/etc/apache22/server.key' for FreeBSD. (This default will work out of the box but must be updated in the base `apache` class with your specific certificate information before being used in production.)
Expand Down
97 changes: 49 additions & 48 deletions manifests/init.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,55 +13,56 @@
# Sample Usage:
#
class apache (
$apache_name = $::apache::params::apache_name,
$service_name = $::apache::params::service_name,
$default_mods = true,
$default_vhost = true,
$default_confd_files = true,
$default_ssl_vhost = false,
$default_ssl_cert = $::apache::params::default_ssl_cert,
$default_ssl_key = $::apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$ip = undef,
$service_enable = true,
$service_ensure = 'running',
$purge_configs = true,
$purge_vhost_dir = undef,
$serveradmin = 'root@localhost',
$sendfile = 'On',
$error_documents = false,
$timeout = '120',
$httpd_dir = $::apache::params::httpd_dir,
$server_root = $::apache::params::server_root,
$conf_dir = $::apache::params::conf_dir,
$confd_dir = $::apache::params::confd_dir,
$vhost_dir = $::apache::params::vhost_dir,
$vhost_enable_dir = $::apache::params::vhost_enable_dir,
$mod_dir = $::apache::params::mod_dir,
$mod_enable_dir = $::apache::params::mod_enable_dir,
$mpm_module = $::apache::params::mpm_module,
$conf_template = $::apache::params::conf_template,
$servername = $::apache::params::servername,
$manage_user = true,
$manage_group = true,
$user = $::apache::params::user,
$group = $::apache::params::group,
$keepalive = $::apache::params::keepalive,
$keepalive_timeout = $::apache::params::keepalive_timeout,
$apache_name = $::apache::params::apache_name,
$service_name = $::apache::params::service_name,
$default_mods = true,
$default_vhost = true,
$default_confd_files = true,
$default_ssl_vhost = false,
$default_ssl_cert = $::apache::params::default_ssl_cert,
$default_ssl_key = $::apache::params::default_ssl_key,
$default_ssl_chain = undef,
$default_ssl_ca = undef,
$default_ssl_crl_path = undef,
$default_ssl_crl = undef,
$default_ssl_crl_check = undef,
$ip = undef,
$service_enable = true,
$service_ensure = 'running',
$purge_configs = true,
$purge_vhost_dir = undef,
$serveradmin = 'root@localhost',
$sendfile = 'On',
$error_documents = false,
$timeout = '120',
$httpd_dir = $::apache::params::httpd_dir,
$server_root = $::apache::params::server_root,
$conf_dir = $::apache::params::conf_dir,
$confd_dir = $::apache::params::confd_dir,
$vhost_dir = $::apache::params::vhost_dir,
$vhost_enable_dir = $::apache::params::vhost_enable_dir,
$mod_dir = $::apache::params::mod_dir,
$mod_enable_dir = $::apache::params::mod_enable_dir,
$mpm_module = $::apache::params::mpm_module,
$conf_template = $::apache::params::conf_template,
$servername = $::apache::params::servername,
$manage_user = true,
$manage_group = true,
$user = $::apache::params::user,
$group = $::apache::params::group,
$keepalive = $::apache::params::keepalive,
$keepalive_timeout = $::apache::params::keepalive_timeout,
$max_keepalive_requests = $apache::params::max_keepalive_requests,
$logroot = $::apache::params::logroot,
$logroot_mode = $::apache::params::logroot_mode,
$log_level = $::apache::params::log_level,
$log_formats = {},
$ports_file = $::apache::params::ports_file,
$apache_version = $::apache::version::default,
$server_tokens = 'OS',
$server_signature = 'On',
$trace_enable = 'On',
$package_ensure = 'installed',
$logroot = $::apache::params::logroot,
$logroot_mode = $::apache::params::logroot_mode,
$log_level = $::apache::params::log_level,
$log_formats = {},
$ports_file = $::apache::params::ports_file,
$apache_version = $::apache::version::default,
$server_tokens = 'OS',
$server_signature = 'On',
$trace_enable = 'On',
$package_ensure = 'installed',
) inherits ::apache::params {
validate_bool($default_vhost)
validate_bool($default_ssl_vhost)
Expand Down
3 changes: 3 additions & 0 deletions manifests/vhost.pp
View file
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
$ssl_ca = $::apache::default_ssl_ca,
$ssl_crl_path = $::apache::default_ssl_crl_path,
$ssl_crl = $::apache::default_ssl_crl,
$ssl_crl_check = $::apache::default_ssl_crl_check,
$ssl_certs_dir = $::apache::params::ssl_certs_dir,
$ssl_protocol = undef,
$ssl_cipher = undef,
Expand Down Expand Up @@ -650,13 +651,15 @@
# - $ssl_ca
# - $ssl_crl_path
# - $ssl_crl
# - $ssl_crl_check
# - $ssl_proxyengine
# - $ssl_protocol
# - $ssl_cipher
# - $ssl_honorcipherorder
# - $ssl_verify_client
# - $ssl_verify_depth
# - $ssl_options
# - $apache_version
if $ssl {
concat::fragment { "${name}-ssl":
target => "${priority_real}-${filename}.conf",
Expand Down
29 changes: 21 additions & 8 deletions spec/acceptance/apache_ssl_spec.rb
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,5 @@
require 'spec_helper_acceptance'
require_relative './version.rb'

case fact('osfamily')
when 'RedHat'
Expand All @@ -13,14 +14,15 @@
it 'runs without error' do
pp = <<-EOS
class { 'apache':
service_ensure => stopped,
default_ssl_vhost => true,
default_ssl_cert => '/tmp/ssl_cert',
default_ssl_key => '/tmp/ssl_key',
default_ssl_chain => '/tmp/ssl_chain',
default_ssl_ca => '/tmp/ssl_ca',
default_ssl_crl_path => '/tmp/ssl_crl_path',
default_ssl_crl => '/tmp/ssl_crl',
service_ensure => stopped,
default_ssl_vhost => true,
default_ssl_cert => '/tmp/ssl_cert',
default_ssl_key => '/tmp/ssl_key',
default_ssl_chain => '/tmp/ssl_chain',
default_ssl_ca => '/tmp/ssl_ca',
default_ssl_crl_path => '/tmp/ssl_crl_path',
default_ssl_crl => '/tmp/ssl_crl',
default_ssl_crl_check => 'chain',
}
EOS
apply_manifest(pp, :catch_failures => true)
Expand All @@ -34,6 +36,11 @@ class { 'apache':
it { is_expected.to contain 'SSLCACertificateFile "/tmp/ssl_ca"' }
it { is_expected.to contain 'SSLCARevocationPath "/tmp/ssl_crl_path"' }
it { is_expected.to contain 'SSLCARevocationFile "/tmp/ssl_crl"' }
if $apache_version == '2.4'
it { is_expected.to contain 'SSLCARevocationCheck "chain"' }
else
it { is_expected.not_to contain 'SSLCARevocationCheck' }
end
end
end

Expand All @@ -53,6 +60,7 @@ class { 'apache':
ssl_ca => '/tmp/ssl_ca',
ssl_crl_path => '/tmp/ssl_crl_path',
ssl_crl => '/tmp/ssl_crl',
ssl_crl_check => 'chain',
ssl_certs_dir => '/tmp',
ssl_protocol => 'test',
ssl_cipher => 'test',
Expand Down Expand Up @@ -81,6 +89,11 @@ class { 'apache':
it { is_expected.to contain 'SSLVerifyClient test' }
it { is_expected.to contain 'SSLVerifyDepth test' }
it { is_expected.to contain 'SSLOptions test test1' }
if $apache_version == '2.4'
it { is_expected.to contain 'SSLCARevocationCheck "chain"' }
else
it { is_expected.not_to contain 'SSLCARevocationCheck' }
end
end
end

Expand Down
3 changes: 3 additions & 0 deletions templates/vhost/_ssl.erb
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,9 @@
<%- if @ssl_crl -%>
SSLCARevocationFile "<%= @ssl_crl %>"
<%- end -%>
<%- if @ssl_crl_check && scope.function_versioncmp([@apache_version, '2.4']) >= 0 -%>
SSLCARevocationCheck "<%= @ssl_crl_check %>"
<%- end -%>
<%- if @ssl_proxyengine -%>
SSLProxyEngine On
<%- end -%>
Expand Down

0 comments on commit 309953a

Please sign in to comment.