ca_trust

Table of Contents

• Overview
  • Supported Platforms
• Module Description
• Setup
• Usage
  • Legacy PEM Anchors
  • Anchors from Hiera
• Facts
• Tasks
• Development
• TODO
• Changes

Overview

Manage CA Trust anchors within the ca-certificates framework.

Supported Platforms

• RedHat & Derivatives >= 6.x
• Debian & Derivatives >= 8.x
• Fedora >= 25

Note: RedHat 6, and deriviates, alongside Debian 8 are now depricated. The EOL of these products is less than a year away. Support for these products will be removed when they reach end of life.

CentOS 8 and Ubuntu 20 do not yet undergo acceptance testing. All other testing applies, but beaker is not yet ready to support these platforms.

Module Description

The ca_trust module is for managing additions to the root CA bundle supplied by OS vendors. Used by applications to establish trust, the root CA bundle is usually shipped containing only 3rd party or commercial CA certificates. Administrators are expected to add their own internal or self signed certificates to the OS vendor supplied bundles as needed.

The module currently supports adding PEM encoded CA anchors.

Setup

To prepare supported operating systems to receive new trusted CA anchors.

include ca_trust

To do the same, but include non-standard options.

class { '::ca_trust':
  cert_dir => '/some/other/directory',
}

See [Reference](REFERENCE#ca_trust) for all options supported by the main class.

Usage

On supported operating systems, the [Setup](#setup) process is entirely unnecessary, simply begin by declaring any [ca_trust::pem::anchors](#pem-anchors) necessary.

If things need to be customized, then the ca_trust main class can be specified explicitly, like it is in the [Setup](#setup) section. Alternatively, the ca_trust main class may be customized via hiera.

---
# Hiera YAML file.
# Use some other command to update root bundle certificates instead of
# OS default.
ca_trust::update_cmd: /some/other/binary

# Puppet profile.

include ca_trust

Legacy PEM Anchors

To install new CA certificates into the operating system's trusted bundle, use the ca_trust::pem::anchor type. When specifying anchors, do not specify the filename extension (.crt, .pem, etc.). Some platforms are picky about the extension used, so the module will choose the appropriate default for the platform. For instance, Debian expects the certificates to end in .crt.

ca_trust::pem::anchor { 'self-signed':
  source => 'puppet:///modules/profile/node-one/self-signed-cert.pem',
}

ca_trust::pem::anchor { 'expired-cert':
  ensure => 'absent',
}

ca_trust::pem::anchor { 'My Company\'s Internal CA':
  source   => 'puppet:///modules/profile/organization-ca.pem',
  filename => 'org-ca',
}

$cert_data = @(EOT)
----- BEGIN CERTIFICATE -----
...blah blah blah, PEM encoded certificate here....
----- END CERTIFICATE -----
| EOT

ca_trust::pem::anchor { 'Org-CA':
  content => $cert_data,
}

For convienience you may also specify any anchors you'd like when you declare the ca_trust class, if you are doing so explicitly.

class { '::ca_trust':
  update_cmd => 'my-custom-command.sh',
  anchors    => {
    'org-ca' => {
      'source' => 'puppet:///modules/profile/my-company-ca.pem',
    },
    'expired-ca' => {
      'ensure' => 'absent',
    },
  },
}

Anchors from Hiera

The class ca_trust::pem::anchors is included for hiera convienience. With it, you may pass in a hash of ca_trust::pem::anchor resources to manage.

---
# Node's hiera yaml.
ca_trust::pem::anchors::resources:
  org-ca: 
    source: puppet:///modules/profile/my-company-ca.pem
  expired-ca:
    ensure: absent
  my-ca:
    content: >
      ----- BEGIN CERTIFICATE ------
      .... cert data here .....
      ----- END CERTIFICATE -----

Facts

The following facts are exposed.

trust_bundle - On supported operating systems this fact resolves to the path of the system-wide trusted CA bundle. bundled_authorities - This fact exposes pertinent information for each certificate in the bundle. It returns a hash, keyed on fingerprint.

e.g.

$:facts['bundled_authorities'] = {
  b561ebeaa4dee4254b691a98a55747c234c7d971 => {
    subject => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    issuer => "/C=SK/L=Bratislava/O=Disig a.s./CN=CA Disig Root R2",
    not_before => "2012-07-19 09:15:30 UTC",
    not_after => "2042-07-19 09:15:30 UTC"
  },
  ...,
  e2b8294b5584ab6b58c290466cac3fb8398f8483 => {
    subject => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    issuer => "/C=CN/O=China Financial Certification Authority/CN=CFCA EV ROOT",
    not_before => "2012-08-08 03:07:01 UTC",
    not_after => "2029-12-31 03:07:01 UTC"
  }

Tasks

ca_trust::rebuild - Rebuilds the system's CA trust bundle using the operating system's prescribed manner. Note that this rebuild will include any ca_trust::pem::anchors already installed on the system. This will not reset the bundle to system default.

Development

This module has been converted to use the [Puppet Development Kit](https://puppet.com/docs/pdk/1.x/pdk.html).

Source Validation

pdk validate

Unit Testing

pdk test unit

For better output, or to debug a specific spec, the old standby bundle exec rake spec_prep and bundle exec rspec <filename> still functions flawlessly. Be sure to run bundle exec rake spec_clean before going back to pdk test unit though.

TODO

• When beaker is ready to support CentOS 8 and Ubuntu 20, add them to nodesets.
• Eventually support should be added for Windows platforms, to install new CA's into the system or user Certificate databases.

Changes

See the [change log](CHANGELOG).

Reference

Class Index

Public Classes

• ca_trust: Main class for module.
• ca_trust::pem::anchors: Expands hash of ca_trust::pem::anchor types into declared resources.

Private Clases

• ca_trust::params: OS Specific defaults.
• ca_trust::install: Manages package installation

Defined Type Index

Public Defined Types

• ca_trust::pem::anchor: Create or remove a CA certificate in/from the trusted bundle.

Type Alias Index

Public Aliases

• ca_trust::resources::anchor: Defines the standard for anchor resources.
• ca_trust::resources::anchors: Defines the standard for a hash of anchor resources.

Fact Index

• trust_bundle: Resolves to the absolute path of the system CA bundle.
• bundled_authorities: Resolves to an array of certificate information for each authority in the bundle.

Task Index

• ca_trust::rebuild: Force a rebuild of the system's CA trust bundle.

Public Classes

ca_trust

Example

Customize the ca_trust system.

class { '::ca_trust':
  cert_dir        => '/usr/share/pki/ca-trust-source',
  update_cmd      => 'custom_updater.sh',
  package_name    => 'customized-ca-certs',
  package_version => '1.0.0',
  anchors         => { 
    'my-ca' => {
      source => 'puppet:///profile/self-signed.crt',
    },
  },
}

Parameters

cert_dir

Data Type: Stdlib::Absolutepath

Description: The directory which is designed to contain loose certificate files. This module does not create this, or parent directories. It assumes the directories were provided by the operating system package.

Default Value: OS Dependent

• RedHat & Derivatives: /usr/share/pki/ca-trust-source
• Debian & Derivatives: /usr/local/share/ca-certificates

update_cmd

Data Type: String

Description: Name of the command to invoke in order to rebuild the root CA bundle out of loose certificate files.

Default Value: OS Dependent

• RedHat & Derivatives: update-ca-trust
• Debian & Derivatives: update-ca-certificates

package_name

Data Type: String

Description: The name of the package which provides the cert_dir and update_cmd.

Default Value: OS Dependent, just happens to be the same on all supported OSes at the moment.

• RedHat, Debian & Derivatives: ca-certificates

package_version

Data Type: String

Description: Specify the precise version of the package_name package to install or pin. Besides a version, this parameter also accepts present, installed and latest. See [Puppet Package Resource](https://puppet.com/docs/puppet/5.5/types/package.html) for more details about thise options.

Default Value: present

manage_pkg

Data Type: Boolean

Description: If set to true, this module will ensure that the CA Trust package is installed, and is of the version specified by package_version. If set to false, this module will ignore the package entirely.

Default Value: true

anchors

Data Type: Ca_Trust::Resource::Anchors

Description: An optional hash of ca_trust::pem::anchor resources that will be autocreated.

Default Value: {}

ca_trust::pem::anchors

Example 1

Create multiple ca_trust::pem::anchor resources with a hash.

$cert_data = @(EOT)
----- BEGIN CERTIFICATE -----
... certificate data ...
----- END CERTIFICATE -----
| EOT

$anchors = {
  'org-ca' => {
    'source' => 'puppet:///modules/profile/company-ca.pem',
  },
  'self-signed' => {
    'source' => 'puppet:///modules/profile/node_one/cert.crt',
  },
  'expired-ca' => {
    'ensure' => 'absent',
  },
  'another-ca' => {
    'content' => $cert_data,
  }
}

class { '::ca_trust::pem::anchors':
  anchors => $anchors,
}

Example 2

The main purpose of this class is for hiera convienience.

---
# In the hiera YAML.
ca_trust::pem::anchors::resources:
  org-ca:
    source: puppet:///modules/profile/company-ca.pem
  self-signed:
    source: puppet:///modules/profile/node_one/cert.crt
  expired-ca:
    ensure: absent
  another-ca:
    content: >
      ----- BEGIN CERTIFICATE -----
      .... data here .....
      ----- END CERTIFICATE -----

# Node profile.
include ca_trust::pem::anchors

Parameters

resources Data Type: ca_trust::resource::anchors

A hash of ca_trust::pem::anchor resources.

Default Value: {}

Public Defined Types

ca_trust::pem::anchor ###

Example

ca_trust::pem::anchor { 'ca-cert':
  ensure   => 'present',
  source   => 'puppet:///modules/profile/ca-cert.pem',
  filename => 'ca-cert'
}

$cert_data = @(EOT)
----- BEGIN CERTIFICATE -----
... cert data ...
----- END CERTIFICATE -----
| EOT

ca_trust::pem::anchor { 'ca-cert-from-content':
  ensure  => 'present',
  content => $cert_data,
}

@

Parameters

ensure

Data Type: Enum['present','absent']

Description: If present the CA anchor will be created on the filesystem. If absent, the CA anchor will be removed from the filesystem if it existed. In either case, the CA bundle update command will be notified.

Default Value: present

source

Data Type: String

Description: The location from which the specified anchor will be downloaded. See [Puppet File Resource: source](https://puppet.com/docs/puppet/5.5/types/file.html#file-attribute-source) parameter documentation for more details. One of content or source must be specified if ensure is present. If both source and content are defined, content takes precedence.

Default Value: None, undef.

content Data Type: String

Description: The contents of the certificate to be written to the file. One of source or content must be specified if ensure is present. If both are specified, content takes precedence. See [Puppet File Resource: content](https://puppet.com/docs/puppet/5.5/types/file.html#file-attribute-content) for more details.

Default Value: None, undef

Description

filename Data Type: Pattern[/\A[^\\\/]+\z/]

Description: The name of the file that will be created inside the cert_dir when the CA anchor is created. This is not an absolute path, just a file name without an extension.

Default Value: (namevar)

Public Aliases

ca_trust::resources::anchor

Definition

type Ca_trust::Resource::Anchor = Struct[{
  Optional[ensure]   => Enum['present','absent'],
  source             => String[1],
  Optional[filename] => Pattern[/\A[^\\\/]+[^(\.pem|\.crt)]\z],
}]

Example Matching Values

{ 
  'source' => 'puppet:///modules/profile/my-internal-ca.pem',
}

{ 
  'ensure' => 'present',
  'source' => 'puppet:///modules/profile/my-internal-ca.pem',
}

{ 
  'ensure'   => 'absent',
  'source'   => 'puppet:///modules/profile/my-internal-ca.pem',
  'filename' => 'org-ca',
}

ca_trust::resources::anchors

Definition

type Ca_trust::Resource::Anchors = Hash[String[1], Ca_trust::Resource::Anchor]

Example Matching Values

{ 
  'org-ca' => {
    'source' => 'puppet:///modules/profile/my-internal-ca.pem',
  },
  'another' => {
    'ensure' => 'present',
    'source' => 'puppet:///modules/profile/my-internal-ca.pem',
  },
  'my-company-ca' => {
    'ensure'   => 'absent',
    'source'   => 'puppet:///modules/profile/my-internal-ca.pem',
    'filename' => 'org-ca',
  },
},

Fact Index

$::facts['trust_bundle']

Resolves to the path of the systemwide CA trust PEM bundle. On RedHat & deriviatives this file should be under /etc/pki/, on Debian bases, it will be under /etc/ssl.

$::facts['bundled_authorities']

Resolves to an array of hashes, with each containing the subject, issuer, not_before, not_after, and fingerprint` for each PEM in the root bundle.

Example:

{
  '93057a8815c64fce882ffa9116522878bc536417' => {
    'subject'     => '/C=US/ST=Nowhere/L=Some City/O=Some Org/CN=someserver.somedomain',
    'issuer'      => '/C=US/ST=SomeState/OU=SomeIssuer',
    'not_before'  => '2011-05-05 09:37:37 UTC',
    'not_after'   => '2030-12-31 09:37:37 UTC',
  },
  ...
}

Task Index

ca_trust::rebuild:

Parameters: None Exit Code: 0 on success, other than 0 on errors.

RELEASE 1.1.5

• Removal Warning - Testing and Support has been removed for:
  • EL6 & Derivatives
  • Debian 8 & Derivatives
• Deprication Warning:
  • Testing and support for Puppet Versions < 5.5 and PE 2018.1 is marked for deprication and will be removed in a future release.
  • Testing and support for Fedora will be removed if Beaker doesn't update their Fedora repository packages.
• Added:
  • Testing and support for Puppet 6.17 and PE 2019.8

• Moved acceptance testing to Beaker 4.26 and Puppet 6.x to support Ubuntu 20.04

• Updated for PDK 1.18.1

RELEASE 1.1.4

Summary

• Deprication Warning - These distributions are nearing their end of support, and are now marked for deprication.
  • EL 6
  • Debian 8
• Added testing for platforms.
  • EL 8
  • Debian 10
• Support removal
  • Fedora < 28

RELEASE 1.1.3

Summary

• Updated module to utilize PDK version 1.14.1 from 1.12.0
• Added Syntax and Unit testing for PE 2018.1, and 2019.1

RELEASE 1.1.2

Summary

• Updated module to utilize PDK version 1.12.0 from 1.10.0.
• Added syntax, unit, and acceptance tests for Puppet 6.5.
• Fixed puppet requirement tags. Was >= 4.7, when should have been >= 5.5.
• Updated Fedora acceptance testing from 26 to 29.
  • Support for Fedora <= 27 has been removed.
  • Fedora 30 repo is not yet available at yum.puppetlabs.com.

RELEASE 1.1.1

Summary

Fixed a few minor bugs.

Bugfixes

• Fixed issues-5
• Fixed issues-7

RELEASE 1.1.0

Summary

The planned list certs in bundle task has been replaced with the bundled_authorities fact. The idea to use a Puppet Task to do this was not a very good one. Facts lend themselves to this sort of thing much better than tasks. Since this would have been a read-only operation anyway, I decided that task was not the way to go to do this.

The release of the task to list certs was planned to be the 1.1.0 release, so since that implementation has been scrubbed, I'll move forward with the 1.1.0 release being the introduction of the bundled_authorities fact.

Implemented a task which forces a rebuild of the trust bundle.

Features

• Implemented bundled_authorities fact.
• Implemented ca_trust::rebuild task.

Bugfixes

• Fixed the reference docuementation that mistakenly labeled the trust_bundle fact as trusted_bundle.

RELEASE 1.0.1

Summary

Fixes a variety of bugs, and bumps PDK version.

Features

• ca_trust::pem::anchor can now be specified with content instead of only source, so the raw content of certificates can be used.
  • TODO: Allow CA cert to be set by content as well as source
• Updated module tools to PDK 1.7.

Bugfixes

• Documentation: reference examples
  • ca_trust::pem::anchor documentation didn\'t match implementation.
  • Relative links between documents don't work on the Forge website.
  • Some smples in REFERENCE.md show RHEL's default cert_dir incorrectly.
• Bug: Type Ca_trust::Resource::Anchor will fail when ensure: absent, and source: nil
  • The ca_trust::resource::anchor custom type doesn't match the expectation of ca_trust::pem::anchor
• Documentation: Type Alias Examples

RELEASE 1.0.0

Summary

This release provides the first implementation of core features.

Features

• Adds Class ca_trust. This class manages the RedHat/Debian ca-certificates capability.
• Adds Class ca_trust::pem::anchors. This class can be used for hiera convienience. It will pull in a hiera hash of ca_trust::pem::anchor values and create resources from it.
• Adds Type ca_trust::pem::anchor. This type adds/removes a CA anchor from the OS bundle.
• Adds Fact trust_bundle. This fact exposes the location of the system CA bundle.

Bugfixes

• N/A