uib · raykrist · Jan 23, 2016 · Jan 23, 2016 · Jan 23, 2016 · Jan 23, 2016
diff --git a/manifests/modules/mod_ssl.pp b/manifests/modules/mod_ssl.pp
@@ -35,6 +35,8 @@
   $ipv6_addr      = $::httpd::ipv6_addr,
   $interface      = $::httpd::interface,
   $scl            = $::httpd::scl,
+  $ssl_key_group  = 'root',
+  $ssl_port       = '443',
   $package        = 'mod_ssl'
 ) {
 
@@ -66,9 +68,9 @@
   }
 
   file { 'ssl_inc':
-    path =>  "${config_dir}/conf.d/ssl-eth0.inc",
-    ensure => present,
-    content => template("httpd/conf.d/ssl-eth0.inc.erb"),
+    ensure  => present,
+    path    =>  "${config_dir}/conf.d/ssl-eth0.inc",
+    content => template('httpd/conf.d/ssl-eth0.inc.erb'),
     replace => $replace,
     require => Package[$package],
     notify  => Class['::httpd::service']
@@ -81,20 +83,24 @@
   }
 
   file { 'ssl_crt':
-    path => "/etc/pki/tls/certs/${ssl_keys}.crt",
+    path    => "/etc/pki/tls/certs/${ssl_keys}.crt",
     require => Package[$package]
   }
   file { 'ssl_key':
-    path => "/etc/pki/tls/private/${ssl_keys}.key",
-    mode => '0600',
-    require =>Package[$package]
+    path    => "/etc/pki/tls/private/${ssl_keys}.key",
+    mode    => $ssl_key_group? {
+      'root'  => '0600',
+      default => '0640'
+    },
+    group   => $ssl_key_group,
+    require => Package[$package]
   }
 
   if $cachain_source {
     file { 'cachain':
-      path    => "/etc/pki/tls/certs/cachain.pem",
       ensure  => file,
-      source  => "puppet:///modules/$cachain_source",
+      path    => '/etc/pki/tls/certs/cachain.pem',
+      source  => "puppet:///modules/${cachain_source}",
       require => Package[$package]
     }
   }

diff --git a/templates/conf.d/22/ssl.conf.erb b/templates/conf.d/22/ssl.conf.erb
@@ -1,21 +1,21 @@
 #
 # This is the Apache server configuration file providing SSL support.
 # It contains the configuration directives to instruct the server how to
-# serve pages over an https connection. For detailing information about these 
+# serve pages over an https connection. For detailing information about these
 # directives see <URL:http://httpd.apache.org/docs/2.2/mod/mod_ssl.html>
-# 
+#
 # Do NOT simply read the instructions in here without understanding
 # what they do.  They're here only as hints or reminders.  If you are unsure
-# consult the online docs. You have been warned.  
+# consult the online docs. You have been warned.
 #
 
 LoadModule ssl_module modules/mod_ssl.so
 
 #
-# When we also provide SSL we have to listen to the 
+# When we also provide SSL we have to listen to the
 # the HTTPS port in addition.
 #
-Listen 443
+Listen <%= @ssl_port %>
 
 ##
 ##  SSL Global Context
@@ -31,18 +31,18 @@ Listen 443
 SSLPassPhraseDialog  builtin
 
 #   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
+#   Configure the SSL Session Cache: First the mechanism
 #   to use and second the expiring timeout (in seconds).
 SSLSessionCache         shmcb:/var/cache/mod_ssl/scache(512000)
 SSLSessionCacheTimeout  300
 
 #   Semaphore:
 #   Configure the path to the mutual exclusion semaphore the
-#   SSL engine uses internally for inter-process synchronization. 
+#   SSL engine uses internally for inter-process synchronization.
 SSLMutex default
 
 #   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
+#   Configure one or more sources to seed the PRNG of the
 #   SSL library. The seed data should be of good random quality.
 #   WARNING! On some platforms /dev/random blocks if not enough entropy
 #   is available. This means you then cannot use the /dev/random device
@@ -62,7 +62,7 @@ SSLRandomSeed connect builtin
 # accelerators. Use "openssl engine -v" to list supported
 # engine names.  NOTE: If you enable an accelerator and the
 # server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
+# your accelerator is functioning properly.
 #
 SSLCryptoDevice builtin
 #SSLCryptoDevice ubsec
@@ -175,7 +175,7 @@ SSLCryptoDevice builtin
 #     and no other module can change it.
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
+#     directives are used in per-directory context.
 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 #<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 #    SSLOptions +StdEnvVars
@@ -201,7 +201,7 @@ SSLCryptoDevice builtin
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
 #     practice often causes hanging connections with brain-dead browsers. Use
 #     this only for browsers where you know that their SSL implementation
-#     works correctly. 
+#     works correctly.
 #   Notice: Most problems of broken clients are also related to the HTTP
 #   keep-alive facility, so you usually additionally want to disable
 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
@@ -218,5 +218,4 @@ SSLCryptoDevice builtin
 #CustomLog logs/ssl_request_log \
 #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
-#</VirtualHost>                                  
-
+#</VirtualHost>
diff --git a/templates/conf.d/24/ssl.conf.erb b/templates/conf.d/24/ssl.conf.erb
@@ -1,8 +1,8 @@
 #
-# When we also provide SSL we have to listen to the 
+# When we also provide SSL we have to listen to the
 # the HTTPS port in addition.
 #
-Listen 443 https
+Listen <%= @ssl_port %> https
 
 ##
 ##  SSL Global Context
@@ -22,13 +22,13 @@ SSLPassPhraseDialog exec:/usr/libexec/httpd-ssl-pass-dialog
 <% end -%>
 
 #   Inter-Process Session Cache:
-#   Configure the SSL Session Cache: First the mechanism 
+#   Configure the SSL Session Cache: First the mechanism
 #   to use and second the expiring timeout (in seconds).
 SSLSessionCache         shmcb:/run/httpd/sslcache(512000)
 SSLSessionCacheTimeout  300
 
 #   Pseudo Random Number Generator (PRNG):
-#   Configure one or more sources to seed the PRNG of the 
+#   Configure one or more sources to seed the PRNG of the
 #   SSL library. The seed data should be of good random quality.
 #   WARNING! On some platforms /dev/random blocks if not enough entropy
 #   is available. This means you then cannot use the /dev/random device
@@ -48,7 +48,7 @@ SSLRandomSeed connect builtin
 # accelerators. Use "openssl engine -v" to list supported
 # engine names.  NOTE: If you enable an accelerator and the
 # server does not start, consult the error logs and ensure
-# your accelerator is functioning properly. 
+# your accelerator is functioning properly.
 #
 SSLCryptoDevice builtin
 #SSLCryptoDevice ubsec
@@ -94,7 +94,7 @@ SSLCryptoDevice builtin
 #   compromised, captures of past or future traffic must be
 #   considered compromised, too.
 #SSLCipherSuite RC4-SHA:AES128-SHA:HIGH:MEDIUM:!aNULL:!MD5
-#SSLHonorCipherOrder on 
+#SSLHonorCipherOrder on
 
 #   Server Certificate:
 # Point SSLCertificateFile at a PEM encoded certificate.  If
@@ -174,7 +174,7 @@ SSLCryptoDevice builtin
 #     and no other module can change it.
 #   o OptRenegotiate:
 #     This enables optimized SSL connection renegotiation handling when SSL
-#     directives are used in per-directory context. 
+#     directives are used in per-directory context.
 #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire
 #<Files ~ "\.(cgi|shtml|phtml|php3?)$">
 #    SSLOptions +StdEnvVars
@@ -200,7 +200,7 @@ SSLCryptoDevice builtin
 #     alert of the client. This is 100% SSL/TLS standard compliant, but in
 #     practice often causes hanging connections with brain-dead browsers. Use
 #     this only for browsers where you know that their SSL implementation
-#     works correctly. 
+#     works correctly.
 #   Notice: Most problems of broken clients are also related to the HTTP
 #   keep-alive facility, so you usually additionally want to disable
 #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
@@ -217,5 +217,4 @@ BrowserMatch "MSIE [2-5]" \
 #CustomLog logs/ssl_request_log \
 #          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
 
-#</VirtualHost>                                  
-
+#</VirtualHost>