puppet 6.0.2-universal-darwin → 6.0.3-universal-darwin
Sign up to get free protection for your applications and to get access to all the features.
Potentially problematic release.
This version of puppet might be problematic. Click here for more details.
- checksums.yaml +4 -4
- data/Gemfile +2 -2
- data/Gemfile.lock +11 -11
- data/lib/puppet/application.rb +5 -0
- data/lib/puppet/application/apply.rb +1 -0
- data/lib/puppet/application/script.rb +1 -1
- data/lib/puppet/application/ssl.rb +119 -49
- data/lib/puppet/defaults.rb +9 -27
- data/lib/puppet/face/node/clean.rb +0 -1
- data/lib/puppet/feature/base.rb +1 -1
- data/lib/puppet/file_serving/fileset.rb +1 -1
- data/lib/puppet/pops/validation/checker4_0.rb +4 -2
- data/lib/puppet/provider/package/windows.rb +2 -2
- data/lib/puppet/provider/package/windows/exe_package.rb +3 -10
- data/lib/puppet/provider/service/windows.rb +11 -3
- data/lib/puppet/provider/user/useradd.rb +2 -10
- data/lib/puppet/resource/catalog.rb +1 -5
- data/lib/puppet/ssl/host.rb +7 -9
- data/lib/puppet/transaction/persistence.rb +1 -1
- data/lib/puppet/type/package.rb +1 -1
- data/lib/puppet/type/user.rb +4 -1
- data/lib/puppet/util.rb +7 -3
- data/lib/puppet/util/execution.rb +1 -0
- data/lib/puppet/util/logging.rb +3 -2
- data/lib/puppet/util/windows/process.rb +6 -2
- data/lib/puppet/util/windows/security.rb +14 -0
- data/lib/puppet/util/windows/service.rb +217 -74
- data/lib/puppet/util/windows/user.rb +3 -5
- data/lib/puppet/version.rb +1 -1
- data/locales/ja/puppet.po +505 -276
- data/locales/puppet.pot +250 -111
- data/man/man5/puppet.conf.5 +8 -1
- data/man/man8/puppet-ssl.8 +22 -2
- data/man/man8/puppet.8 +1 -1
- data/spec/integration/parser/collection_spec.rb +4 -8
- data/spec/integration/type/file_spec.rb +6 -6
- data/spec/integration/util/windows/security_spec.rb +10 -7
- data/spec/integration/util/windows/user_spec.rb +37 -17
- data/spec/lib/puppet/test_ca.rb +1 -1
- data/spec/unit/agent_spec.rb +2 -2
- data/spec/unit/application/apply_spec.rb +41 -2
- data/spec/unit/application/face_base_spec.rb +1 -1
- data/spec/unit/application/ssl_spec.rb +160 -110
- data/spec/unit/application_spec.rb +29 -11
- data/spec/unit/configurer/downloader_spec.rb +1 -1
- data/spec/unit/configurer_spec.rb +5 -5
- data/spec/unit/face/node_spec.rb +1 -3
- data/spec/unit/file_serving/fileset_spec.rb +11 -11
- data/spec/unit/network/http/connection_spec.rb +2 -2
- data/spec/unit/pops/validator/validator_spec.rb +24 -10
- data/spec/unit/provider/package/windows/exe_package_spec.rb +3 -3
- data/spec/unit/provider/package/windows_spec.rb +4 -4
- data/spec/unit/provider/service/windows_spec.rb +21 -3
- data/spec/unit/provider/user/useradd_spec.rb +2 -2
- data/spec/unit/resource/catalog_spec.rb +2 -2
- data/spec/unit/ssl/host_spec.rb +1 -1
- data/spec/unit/transaction/persistence_spec.rb +4 -4
- data/spec/unit/util/execution_spec.rb +19 -1
- data/spec/unit/util/logging_spec.rb +58 -0
- data/spec/unit/util/windows/service_spec.rb +344 -191
- metadata +2 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 461aba1952200572aa6b0e6b875d85dcea71ed1cf376f4b393df225cc1ae14ba
|
4
|
+
data.tar.gz: 82b224a2c37d92c4b2ca49cbc2fe9dc639a56d0a64ef13ced257aca124745361
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dda52705c006cee47a267fdfdeb2827ee0fd2ad914a9630bd23c0d410bd0b2f2ba83a361fac72a4d91259d4cad6942de15e14322278f6354bc3c3cfee26f5728
|
7
|
+
data.tar.gz: ee4aea7d4f8b6f877780e8f36bcd89691b4fa6369812b152831559cfb37ce37225971f76443397ad3796fd21a96e5f25bf190a4f91aa971bce3a5bebb338ae37
|
data/Gemfile
CHANGED
@@ -31,13 +31,13 @@ group(:features) do
|
|
31
31
|
# gem 'ruby-augeas', require: false, platforms: [:ruby]
|
32
32
|
# requires native ldap headers/libs
|
33
33
|
# gem 'ruby-ldap', '~> 0.9', require: false, platforms: [:ruby]
|
34
|
-
gem 'puppetserver-ca', '~>
|
34
|
+
gem 'puppetserver-ca', '~> 1.1', require: false
|
35
35
|
end
|
36
36
|
|
37
37
|
group(:test) do
|
38
38
|
gem "json-schema", "~> 2.0", require: false
|
39
39
|
gem "mocha", '~> 1.5.0', require: false
|
40
|
-
gem "rake", '~> 12.2
|
40
|
+
gem "rake", *location_for(ENV['RAKE_LOCATION'] || '~> 12.2')
|
41
41
|
gem "rspec", "~> 3.1", require: false
|
42
42
|
gem "rspec-its", "~> 1.1", require: false
|
43
43
|
gem "rspec-collection_matchers", "~> 1.1", require: false
|
data/Gemfile.lock
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
PATH
|
2
2
|
remote: .
|
3
3
|
specs:
|
4
|
-
puppet (6.0.
|
4
|
+
puppet (6.0.3)
|
5
5
|
CFPropertyList (~> 2.2)
|
6
6
|
facter (>= 2.0.1, < 4)
|
7
7
|
fast_gettext (~> 1.1.2)
|
@@ -41,10 +41,10 @@ GEM
|
|
41
41
|
hocon (1.2.5)
|
42
42
|
hpricot (0.8.6)
|
43
43
|
httpclient (2.8.3)
|
44
|
-
json-schema (2.8.
|
44
|
+
json-schema (2.8.1)
|
45
45
|
addressable (>= 2.4)
|
46
46
|
locale (2.1.2)
|
47
|
-
memory_profiler (0.9.
|
47
|
+
memory_profiler (0.9.12)
|
48
48
|
metaclass (0.0.4)
|
49
49
|
method_source (0.9.0)
|
50
50
|
minitar (0.6.1)
|
@@ -52,10 +52,10 @@ GEM
|
|
52
52
|
metaclass (~> 0.0.1)
|
53
53
|
msgpack (1.2.4)
|
54
54
|
multi_json (1.13.1)
|
55
|
-
mustache (1.0
|
56
|
-
packaging (0.99.
|
55
|
+
mustache (1.1.0)
|
56
|
+
packaging (0.99.16)
|
57
57
|
artifactory
|
58
|
-
rake (~> 12.
|
58
|
+
rake (~> 12.3)
|
59
59
|
parallel (1.12.1)
|
60
60
|
parser (2.5.1.2)
|
61
61
|
ast (~> 2.4.0)
|
@@ -66,12 +66,12 @@ GEM
|
|
66
66
|
public_suffix (3.0.3)
|
67
67
|
puppet-resource_api (1.6.0)
|
68
68
|
hocon (>= 1.0)
|
69
|
-
puppetserver-ca (
|
69
|
+
puppetserver-ca (1.1.1)
|
70
70
|
facter (>= 2.0.1, < 4)
|
71
71
|
racc (1.4.9)
|
72
72
|
rainbow (2.2.2)
|
73
73
|
rake
|
74
|
-
rake (12.
|
74
|
+
rake (12.3.1)
|
75
75
|
rdiscount (2.2.0.1)
|
76
76
|
rdoc (6.0.4)
|
77
77
|
ronn (0.7.3)
|
@@ -86,7 +86,7 @@ GEM
|
|
86
86
|
rspec-expectations (>= 2.99.0.beta1)
|
87
87
|
rspec-core (3.8.0)
|
88
88
|
rspec-support (~> 3.8.0)
|
89
|
-
rspec-expectations (3.8.
|
89
|
+
rspec-expectations (3.8.2)
|
90
90
|
diff-lcs (>= 1.2.0, < 2.0)
|
91
91
|
rspec-support (~> 3.8.0)
|
92
92
|
rspec-its (1.2.0)
|
@@ -136,9 +136,9 @@ DEPENDENCIES
|
|
136
136
|
pry
|
137
137
|
puppet!
|
138
138
|
puppet-resource_api (~> 1.5)
|
139
|
-
puppetserver-ca (~>
|
139
|
+
puppetserver-ca (~> 1.1)
|
140
140
|
racc (= 1.4.9)
|
141
|
-
rake (~> 12.2
|
141
|
+
rake (~> 12.2)
|
142
142
|
rdoc (~> 6.0)
|
143
143
|
ronn (~> 0.7.3)
|
144
144
|
rspec (~> 3.1)
|
data/lib/puppet/application.rb
CHANGED
@@ -395,6 +395,8 @@ class Application
|
|
395
395
|
end
|
396
396
|
|
397
397
|
def setup_logs
|
398
|
+
handle_logdest_arg(Puppet[:logdest])
|
399
|
+
|
398
400
|
unless options[:setdest]
|
399
401
|
if options[:debug] || options[:verbose]
|
400
402
|
Puppet::Util::Log.newdestination(:console)
|
@@ -416,7 +418,10 @@ class Application
|
|
416
418
|
end
|
417
419
|
|
418
420
|
def handle_logdest_arg(arg)
|
421
|
+
return if options[:setdest] || arg.nil?
|
422
|
+
|
419
423
|
begin
|
424
|
+
Puppet[:logdest] = arg
|
420
425
|
Puppet::Util::Log.newdestination(arg)
|
421
426
|
options[:setdest] = true
|
422
427
|
rescue => detail
|
@@ -283,6 +283,7 @@ Copyright (c) 2011 Puppet Inc., LLC Licensed under the Apache 2.0 License
|
|
283
283
|
|
284
284
|
exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
|
285
285
|
|
286
|
+
handle_logdest_arg(Puppet[:logdest])
|
286
287
|
Puppet::Util::Log.newdestination(:console) unless options[:setdest]
|
287
288
|
|
288
289
|
Signal.trap(:INT) do
|
@@ -229,9 +229,9 @@ Copyright (c) 2017 Puppet Inc., LLC Licensed under the Apache 2.0 License
|
|
229
229
|
end
|
230
230
|
|
231
231
|
def setup
|
232
|
-
|
233
232
|
exit(Puppet.settings.print_configs ? 0 : 1) if Puppet.settings.print_configs?
|
234
233
|
|
234
|
+
handle_logdest_arg(Puppet[:logdest])
|
235
235
|
Puppet::Util::Log.newdestination(:console) unless options[:setdest]
|
236
236
|
|
237
237
|
Signal.trap(:INT) do
|
@@ -2,6 +2,9 @@ require 'puppet/application'
|
|
2
2
|
require 'puppet/ssl/oids'
|
3
3
|
|
4
4
|
class Puppet::Application::Ssl < Puppet::Application
|
5
|
+
|
6
|
+
run_mode :agent
|
7
|
+
|
5
8
|
def summary
|
6
9
|
_("Manage SSL keys and certificates for puppet SSL clients")
|
7
10
|
end
|
@@ -13,41 +16,68 @@ puppet-ssl(8) -- #{summary}
|
|
13
16
|
|
14
17
|
SYNOPSIS
|
15
18
|
--------
|
16
|
-
Manage SSL keys and certificates for
|
19
|
+
Manage SSL keys and certificates for SSL clients needing
|
17
20
|
to communicate with a puppet infrastructure.
|
18
21
|
|
19
22
|
USAGE
|
20
23
|
-----
|
21
|
-
puppet ssl <action> [
|
24
|
+
puppet ssl <action> [-h|--help] [-v|--verbose] [-d|--debug] [--localca]
|
25
|
+
|
26
|
+
|
27
|
+
OPTIONS
|
28
|
+
-------
|
29
|
+
|
30
|
+
* --help:
|
31
|
+
Print this help messsge.
|
32
|
+
|
33
|
+
* --verbose:
|
34
|
+
Print extra information.
|
35
|
+
|
36
|
+
* --debug:
|
37
|
+
Enable full debugging.
|
38
|
+
|
39
|
+
* --localca
|
40
|
+
Also clean the local CA certificate and CRL.
|
41
|
+
|
22
42
|
|
23
43
|
ACTIONS
|
24
44
|
-------
|
25
45
|
|
26
46
|
* submit_request:
|
27
|
-
Generate a certificate signing request (CSR) and submit it to the CA. If
|
28
|
-
public key pair already exist, they will be used to generate
|
29
|
-
key pair will be generated. If a CSR has already
|
30
|
-
then the operation will fail.
|
47
|
+
Generate a certificate signing request (CSR) and submit it to the CA. If
|
48
|
+
a private and public key pair already exist, they will be used to generate
|
49
|
+
the CSR. Otherwise a new key pair will be generated. If a CSR has already
|
50
|
+
been submitted with the given `certname`, then the operation will fail.
|
31
51
|
|
32
52
|
* download_cert:
|
33
|
-
Download a certificate for this host. If the current private key matches
|
34
|
-
certificate, then the certificate will be saved and used
|
35
|
-
there is already an existing certificate, it
|
53
|
+
Download a certificate for this host. If the current private key matches
|
54
|
+
the downloaded certificate, then the certificate will be saved and used
|
55
|
+
for subsequent requests. If there is already an existing certificate, it
|
56
|
+
will be overwritten.
|
36
57
|
|
37
58
|
* verify:
|
38
|
-
Verify the private key and certificate are present and match, verify the
|
39
|
-
issued by a trusted CA, and check revocation status.
|
59
|
+
Verify the private key and certificate are present and match, verify the
|
60
|
+
certificate is issued by a trusted CA, and check revocation status.
|
61
|
+
|
62
|
+
* clean:
|
63
|
+
Remove the private key and certificate related files for this host. If
|
64
|
+
`--localca` is specified, then also remove this host's local copy of the
|
65
|
+
CA certificate(s) and CRL bundle.
|
40
66
|
HELP
|
41
67
|
end
|
42
68
|
|
43
|
-
option('--
|
44
|
-
|
69
|
+
option('--localca')
|
70
|
+
option('--verbose', '-v')
|
71
|
+
option('--debug', '-d')
|
72
|
+
|
73
|
+
def setup_logs
|
74
|
+
set_log_level(options)
|
75
|
+
Puppet::Util::Log.newdestination(:console)
|
45
76
|
end
|
46
77
|
|
47
78
|
def main
|
48
79
|
if command_line.args.empty?
|
49
|
-
|
50
|
-
exit(1)
|
80
|
+
raise Puppet::Error, _("An action must be specified.")
|
51
81
|
end
|
52
82
|
|
53
83
|
Puppet.settings.use(:main, :agent)
|
@@ -57,77 +87,117 @@ HELP
|
|
57
87
|
case action
|
58
88
|
when 'submit_request'
|
59
89
|
submit_request(host)
|
60
|
-
download_cert(host)
|
90
|
+
cert = download_cert(host)
|
91
|
+
unless cert
|
92
|
+
Puppet.info _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
|
93
|
+
end
|
61
94
|
when 'download_cert'
|
62
|
-
download_cert(host)
|
95
|
+
cert = download_cert(host)
|
96
|
+
unless cert
|
97
|
+
raise Puppet::Error, _("The certificate for '%{name}' has not yet been signed") % { name: host.name }
|
98
|
+
end
|
63
99
|
when 'verify'
|
64
100
|
verify(host)
|
101
|
+
when 'clean'
|
102
|
+
clean(host)
|
65
103
|
else
|
66
|
-
|
67
|
-
exit(1)
|
104
|
+
raise Puppet::Error, _("Unknown action '%{action}'") % { action: action }
|
68
105
|
end
|
69
|
-
|
70
|
-
exit(0)
|
71
106
|
end
|
72
107
|
|
73
108
|
def submit_request(host)
|
74
109
|
host.ensure_ca_certificate
|
75
110
|
|
76
111
|
host.submit_request
|
77
|
-
|
112
|
+
Puppet.notice _("Submitted certificate request for '%{name}' to https://%{server}:%{port}") % {
|
113
|
+
name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
|
114
|
+
}
|
78
115
|
rescue => e
|
79
|
-
|
80
|
-
exit(1)
|
116
|
+
raise Puppet::Error.new(_("Failed to submit certificate request: %{message}") % { message: e.message }, e)
|
81
117
|
end
|
82
118
|
|
83
119
|
def download_cert(host)
|
84
120
|
host.ensure_ca_certificate
|
85
121
|
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
122
|
+
Puppet.info _("Downloading certificate '%{name}' from https://%{server}:%{port}") % {
|
123
|
+
name: host.name, server: Puppet[:ca_server], port: Puppet[:ca_port]
|
124
|
+
}
|
125
|
+
cert = host.download_host_certificate
|
126
|
+
return unless cert
|
127
|
+
|
128
|
+
Puppet.notice _("Downloaded certificate '%{name}' with fingerprint %{fingerprint}") % {
|
129
|
+
name: host.name, fingerprint: cert.fingerprint
|
130
|
+
}
|
131
|
+
cert
|
92
132
|
rescue => e
|
93
|
-
|
94
|
-
exit(1)
|
133
|
+
raise Puppet::Error.new(_("Failed to download certificate: %{message}") % { message: e.message }, e)
|
95
134
|
end
|
96
135
|
|
97
136
|
def verify(host)
|
98
137
|
host.ensure_ca_certificate
|
99
138
|
|
100
139
|
key = host.key
|
101
|
-
unless key
|
102
|
-
puts "The host's private key is missing"
|
103
|
-
exit(1)
|
104
|
-
end
|
140
|
+
raise _("The host's private key is missing") unless key
|
105
141
|
|
106
142
|
cert = host.check_for_certificate_on_disk(host.name)
|
107
|
-
unless cert
|
108
|
-
puts "The host's certificate is missing"
|
109
|
-
exit(1)
|
110
|
-
end
|
143
|
+
raise _("The host's certificate is missing") unless cert
|
111
144
|
|
112
145
|
if cert.content.public_key.to_pem != key.content.public_key.to_pem
|
113
|
-
|
114
|
-
exit(1)
|
146
|
+
raise _("The host's key does not match the certificate")
|
115
147
|
end
|
116
148
|
|
117
149
|
store = host.ssl_store
|
118
150
|
unless store.verify(cert.content)
|
119
|
-
|
120
|
-
|
151
|
+
raise _("Failed to verify certificate '%{name}': %{message} (%{error})") % {
|
152
|
+
name: host.name, message: store.error_string, error: store.error
|
153
|
+
}
|
121
154
|
end
|
122
155
|
|
123
|
-
|
156
|
+
Puppet.notice _("Verified certificate '%{name}'") % {
|
157
|
+
name: host.name
|
158
|
+
}
|
124
159
|
# store.chain.reverse.each_with_index do |issuer, i|
|
125
160
|
# indent = " " * (i+1)
|
126
|
-
#
|
161
|
+
# Puppet.notice "#{indent}#{issuer.subject.to_s}"
|
127
162
|
# end
|
128
|
-
exit(0)
|
129
163
|
rescue => e
|
130
|
-
|
131
|
-
|
164
|
+
raise Puppet::Error.new(_("Verify failed: %{message}") % { message: e.message }, e)
|
165
|
+
end
|
166
|
+
|
167
|
+
def clean(host)
|
168
|
+
# make sure cert has been removed from the CA
|
169
|
+
if Puppet[:certname] == Puppet[:ca_server]
|
170
|
+
cert =
|
171
|
+
begin
|
172
|
+
host.download_certificate_from_ca(Puppet[:certname])
|
173
|
+
rescue => e
|
174
|
+
raise Puppet::Error.new(_("Failed to connect to the CA to determine if certificate %{certname} has been cleaned") % { certname: Puppet[:certname] }, e)
|
175
|
+
end
|
176
|
+
|
177
|
+
if cert
|
178
|
+
raise Puppet::Error, _(<<END) % { certname: Puppet[:certname] }
|
179
|
+
The certificate %{certname} must be cleaned from the CA first. To fix this,
|
180
|
+
run the following commands on the CA:
|
181
|
+
puppetserver ca clean --certname %{certname}
|
182
|
+
puppet ssl clean
|
183
|
+
END
|
184
|
+
end
|
185
|
+
end
|
186
|
+
|
187
|
+
settings = {
|
188
|
+
hostprivkey: 'private key',
|
189
|
+
hostpubkey: 'public key',
|
190
|
+
hostcsr: 'certificate request',
|
191
|
+
hostcert: 'certificate',
|
192
|
+
passfile: 'private key password file'
|
193
|
+
}
|
194
|
+
settings.merge!(localcacert: 'local CA certificate', hostcrl: 'local CRL') if options[:localca]
|
195
|
+
settings.each_pair do |setting, label|
|
196
|
+
path = Puppet[setting]
|
197
|
+
if Puppet::FileSystem.exist?(path)
|
198
|
+
Puppet::FileSystem.unlink(path)
|
199
|
+
Puppet.notice _("Removed %{label} %{path}") % { label: label, path: path }
|
200
|
+
end
|
201
|
+
end
|
132
202
|
end
|
133
203
|
end
|
data/lib/puppet/defaults.rb
CHANGED
@@ -963,6 +963,15 @@ EOT
|
|
963
963
|
}
|
964
964
|
end
|
965
965
|
end
|
966
|
+
},
|
967
|
+
:logdest => {
|
968
|
+
:type => :string,
|
969
|
+
:desc => "Where to send log messages. Choose between 'syslog' (the POSIX syslog
|
970
|
+
service), 'eventlog' (the Windows Event Log), 'console', or the path to a log
|
971
|
+
file."
|
972
|
+
# Sure would be nice to set the Puppet::Util::Log destination here in an :on_initialize_and_write hook,
|
973
|
+
# unfortunately we have a large number of tests that rely on the logging not resetting itself when the
|
974
|
+
# settings are initialized as they test what gets logged during settings initialization.
|
966
975
|
}
|
967
976
|
)
|
968
977
|
|
@@ -975,65 +984,41 @@ EOT
|
|
975
984
|
:cadir => {
|
976
985
|
:default => "$ssldir/ca",
|
977
986
|
:type => :directory,
|
978
|
-
:owner => "service",
|
979
|
-
:group => "service",
|
980
|
-
:mode => "0755",
|
981
987
|
:desc => "The root directory for the certificate authority.",
|
982
988
|
},
|
983
989
|
:cacert => {
|
984
990
|
:default => "$cadir/ca_crt.pem",
|
985
991
|
:type => :file,
|
986
|
-
:owner => "service",
|
987
|
-
:group => "service",
|
988
|
-
:mode => "0644",
|
989
992
|
:desc => "The CA certificate.",
|
990
993
|
},
|
991
994
|
:cakey => {
|
992
995
|
:default => "$cadir/ca_key.pem",
|
993
996
|
:type => :file,
|
994
|
-
:owner => "service",
|
995
|
-
:group => "service",
|
996
|
-
:mode => "0640",
|
997
997
|
:desc => "The CA private key.",
|
998
998
|
},
|
999
999
|
:capub => {
|
1000
1000
|
:default => "$cadir/ca_pub.pem",
|
1001
1001
|
:type => :file,
|
1002
|
-
:owner => "service",
|
1003
|
-
:group => "service",
|
1004
|
-
:mode => "0644",
|
1005
1002
|
:desc => "The CA public key.",
|
1006
1003
|
},
|
1007
1004
|
:cacrl => {
|
1008
1005
|
:default => "$cadir/ca_crl.pem",
|
1009
1006
|
:type => :file,
|
1010
|
-
:owner => "service",
|
1011
|
-
:group => "service",
|
1012
|
-
:mode => "0644",
|
1013
1007
|
:desc => "The certificate revocation list (CRL) for the CA.",
|
1014
1008
|
},
|
1015
1009
|
:csrdir => {
|
1016
1010
|
:default => "$cadir/requests",
|
1017
1011
|
:type => :directory,
|
1018
|
-
:owner => "service",
|
1019
|
-
:group => "service",
|
1020
|
-
:mode => "0755",
|
1021
1012
|
:desc => "Where the CA stores certificate requests.",
|
1022
1013
|
},
|
1023
1014
|
:signeddir => {
|
1024
1015
|
:default => "$cadir/signed",
|
1025
1016
|
:type => :directory,
|
1026
|
-
:owner => "service",
|
1027
|
-
:group => "service",
|
1028
|
-
:mode => "0755",
|
1029
1017
|
:desc => "Where the CA stores signed certificates.",
|
1030
1018
|
},
|
1031
1019
|
:serial => {
|
1032
1020
|
:default => "$cadir/serial",
|
1033
1021
|
:type => :file,
|
1034
|
-
:owner => "service",
|
1035
|
-
:group => "service",
|
1036
|
-
:mode => "0644",
|
1037
1022
|
:desc => "Where the serial number for certificates is stored.",
|
1038
1023
|
},
|
1039
1024
|
:autosign => {
|
@@ -1082,9 +1067,6 @@ EOT
|
|
1082
1067
|
:cert_inventory => {
|
1083
1068
|
:default => "$cadir/inventory.txt",
|
1084
1069
|
:type => :file,
|
1085
|
-
:mode => "0644",
|
1086
|
-
:owner => "service",
|
1087
|
-
:group => "service",
|
1088
1070
|
:desc => "The inventory file. This is a text file to which the CA writes a
|
1089
1071
|
complete listing of all certificates.",
|
1090
1072
|
}
|