Fixes #15538 - make sure the rpms from ssl-build are used (#91)

Before this patch, we were relying on the fact that the latest rpms are always better. However, people often try to rollback to the previous state of ssl-build and this behavior of the certs script was causing more troubles than benefits. After this change, we always use the latest version we have available in ssl-build by checking if that's what's already installed on the system or not. While trying to rollback to some older version of certs, I was hitting the nssdb errors, as we were not cleaning the certs in there properly. Therefore I've reused the resource we already had there for certutil, to clean up certs first.
theforeman · Jul 6, 2016 · df36e80 · df36e80
1 parent 3571f01
commit df36e80
Show file tree

Hide file tree

Showing 4 changed files with 19 additions and 16 deletions.
diff --git a/lib/puppet/provider/katello_ssl_tool.rb b/lib/puppet/provider/katello_ssl_tool.rb
@@ -62,7 +62,7 @@ def deploy?
       return false unless resource[:deploy]
       return true if resource[:regenerate]
       return true if files_to_deploy.any? { |file| ! File.exist?(file) }
-      return true if new_version_available?
+      return true if needs_deploy?
     end
 
     def files_to_deploy
@@ -71,19 +71,20 @@ def files_to_deploy
 
     def deploy!
       if File.exists?(rpmfile)
-        # the rpm is available locally on the file system
+        if(system("rpm -q #{rpmfile_base_name} &>/dev/null"))
+          rpm('-e', rpmfile_base_name)
+        end
         rpm('-Uvh', '--force', rpmfile)
       else
         # we search the rpm in yum repo
         yum("install", "-y", rpmfile_base_name)
       end
     end
 
-    def new_version_available?
+    def needs_deploy?
       if File.exists?(rpmfile)
-        current_version = version_from_name(`rpm -q #{rpmfile_base_name}`)
-        latest_version = version_from_name(`rpm -pq #{rpmfile}`)
-        (latest_version <=> current_version) > 0
+        # the installed version doesn't match the rpmfile
+        !system("rpm --verify -p #{rpmfile} &>/dev/null")
       else
         `yum check-update #{rpmfile_base_name} &>/dev/null`
         $?.exitstatus == 100

diff --git a/manifests/candlepin.pp b/manifests/candlepin.pp
@@ -73,8 +73,9 @@
     privkey { $client_key:
       key_pair => Cert[$java_client_cert_name],
     } ~>
-    exec { 'candlepin-add-client-cert-to-nss-db':
-      command     => "certutil -A -d '${::certs::nss_db_dir}' -n 'amqp-client' -t ',,' -a -i '${client_cert}'",
+    certs::ssltools::certutil { 'amqp-client':
+      nss_db_dir  => $::certs::nss_db_dir,
+      client_cert => $client_cert,
       refreshonly => true,
       subscribe   => Exec['create-nss-db'],
       notify      => Service['qpidd'],

diff --git a/manifests/qpid.pp b/manifests/qpid.pp
@@ -71,19 +71,20 @@
       path    => '/usr/bin',
       creates => $nssdb_files,
     } ~>
-    exec { 'add-ca-cert-to-nss-db':
-      command     => "certutil -A -d '${::certs::nss_db_dir}' -n 'ca' -t 'TCu,Cu,Tuw' -a -i '${certs::ca_cert}'",
-      path        => '/usr/bin',
+    certs::ssltools::certutil { 'ca':
+      nss_db_dir  => $::certs::nss_db_dir,
+      client_cert => $::certs::ca_cert,
+      trustargs   => 'TCu,Cu,Tuw',
       refreshonly => true,
     } ~>
     file { $nssdb_files:
       owner => 'root',
       group => $certs::qpidd_group,
       mode  => '0640',
     } ~>
-    exec { 'add-broker-cert-to-nss-db':
-      command     => "certutil -A -d '${::certs::nss_db_dir}' -n 'broker' -t ',,' -a -i '${client_cert}'",
-      path        => '/usr/bin',
+    certs::ssltools::certutil { 'broker':
+      nss_db_dir  => $::certs::nss_db_dir,
+      client_cert => $client_cert,
       refreshonly => true,
     } ~>
     exec { 'generate-pfx-for-nss-db':

diff --git a/manifests/ssltools/certutil.pp b/manifests/ssltools/certutil.pp
@@ -1,5 +1,5 @@
 # type to append cert to nssdb
-define certs::ssltools::certutil($nss_db_dir, $client_cert, $cert_name=$title, $refreshonly = true) {
+define certs::ssltools::certutil($nss_db_dir, $client_cert, $cert_name=$title, $refreshonly = true, $trustargs = ',,') {
   Exec['create-nss-db'] ->
   exec { "delete ${cert_name}":
     path        => ['/bin', '/usr/bin'],
@@ -10,7 +10,7 @@
   } ->
   exec { $cert_name:
     path        => ['/bin', '/usr/bin'],
-    command     => "certutil -A -d '${nss_db_dir}' -n '${cert_name}' -t ',,' -a -i '${client_cert}'",
+    command     => "certutil -A -d '${nss_db_dir}' -n '${cert_name}' -t '${trustargs}' -a -i '${client_cert}'",
     unless      => "certutil -L -d ${nss_db_dir} | grep '${cert_name}'",
     logoutput   => true,
     refreshonly => $refreshonly,