Add the Zanata server CRT into the Java keystore
Java does not like to make connections to untrusted HTTPS hosts, and makes it rather difficult to not verify the certificate and its CA chain, like our Python scripts are currently doing. To that end, drag down the CRT for the configured Zanata server, and inject it into the default Java keystore -- since passing a non-default keystore would also require changes to Zanata. Change-Id: If6aaf4d560acc25e626027d82ed103dd46328802 Depends-On: I32ef72eba436c338052be2eb83ce39e4400d047c
This commit is contained in:
parent
b54e390e88
commit
e84aa3e90a
@ -26,6 +26,7 @@ class zanata::client(
|
|||||||
) {
|
) {
|
||||||
|
|
||||||
$server_id = parse_server_id($server_url)
|
$server_id = parse_server_id($server_url)
|
||||||
|
$server_name = regsubst($server_id, '_', '.', 'G')
|
||||||
|
|
||||||
file { '/opt/zanata':
|
file { '/opt/zanata':
|
||||||
ensure => directory,
|
ensure => directory,
|
||||||
@ -50,6 +51,36 @@ class zanata::client(
|
|||||||
require => Exec['get_zanata_client_dist_tarball'],
|
require => Exec['get_zanata_client_dist_tarball'],
|
||||||
}
|
}
|
||||||
|
|
||||||
|
exec { 'get_zanata_server_certificate':
|
||||||
|
command => "openssl s_client -connect ${server_name}:443 -prexit 2>/dev/null | openssl x509 -in /dev/stdin -out /opt/zanata/${server_id}.crt",
|
||||||
|
path => '/bin:/usr/bin',
|
||||||
|
creates => "/opt/zanata/${server_id}.crt",
|
||||||
|
require => File['/opt/zanata'],
|
||||||
|
}
|
||||||
|
|
||||||
|
file { "/opt/zanata/${server_id}.crt":
|
||||||
|
ensure => present,
|
||||||
|
owner => $user,
|
||||||
|
group => $group,
|
||||||
|
mode => '0644',
|
||||||
|
require => Exec['get_zanata_server_certificate'],
|
||||||
|
}
|
||||||
|
|
||||||
|
java_ks { 'zanata_server:keystore':
|
||||||
|
ensure => latest,
|
||||||
|
certificate => "/opt/zanata/${server_id}.crt",
|
||||||
|
target => '/etc/ssl/certs/java/cacerts',
|
||||||
|
password => 'changeit',
|
||||||
|
require => File["/opt/zanata/${server_id}.crt"],
|
||||||
|
}
|
||||||
|
|
||||||
|
file { '/etc/ssl/certs/java/cacerts':
|
||||||
|
owner => 'root',
|
||||||
|
group => 'root',
|
||||||
|
mode => '0644',
|
||||||
|
require => Java_ks['zanata_server:keystore']
|
||||||
|
}
|
||||||
|
|
||||||
exec { 'unpack_zanata_client_dist_tarball':
|
exec { 'unpack_zanata_client_dist_tarball':
|
||||||
command => "tar zxf zanata-cli-${version}-dist.tar.gz",
|
command => "tar zxf zanata-cli-${version}-dist.tar.gz",
|
||||||
path => '/bin:/usr/bin',
|
path => '/bin:/usr/bin',
|
||||||
|
Loading…
Reference in New Issue
Block a user