Managing trusted CAs with Salt

Georges Racinet

unread,

Jul 2, 2015, 9:14:20 AM7/2/15

to salt-...@googlegroups.com

Hi there,

am I right to think that there is no state to manage the system-wide
trusted Certificates Authorities (CAs)

salt.modules.tls seems dedicated to the production of certificates, but
I couldn't find anything to tell a minion to trust or distrust a given
CA certificate.

Just wanted to check before I decide to write my own states for that.

Cheers,

--
Georges Racinet
Anybox SAS, http://anybox.fr
Téléphone: +33 6 51 32 07 27
GPG: 0x33AB0A35, sur serveurs publics

Florian Ermisch

unread,

Jul 2, 2015, 11:18:17 AM7/2/15

to salt-...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Georges,

I have some states (not a state-module) for Ubuntu managing `/use/local/share/ca-certificates` with certs from pillar and running `update-ca-certificates`(?) on updates. Nothing too fancy.

I think to way of managing the systemwide certificate store differs quiet a bit from OS to OS and distro to distro so starting a formula might be a good idea.

Regards, Florian

>--
>You received this message because you are subscribed to the Google
>Groups "Salt-users" group.
>To unsubscribe from this group and stop receiving emails from it, send
>an email to salt-users+...@googlegroups.com.
>For more options, visit https://groups.google.com/d/optout.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQFTBAEBCAA9BQJVlVYuNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/f4AB/wNXgtqrEcTf5Hy
VD9QwBHFB5tiRFRkXJEabawd/ZcAUBG6sXZa+RREjV1D4SxKDO/9bAB6litsvv/L
L3L+7zoLus2D4edmLI2rEY3+xM87WO6LW9axGayk1Il4JLrsrv8FsA4P2yzLrpU0
kQrmYJthRCN2rSz1jS+dG/07pAJESdiqav+G1bTcY0iFLfGCkohw8LfTSKYaYYm7
Iz3WbaiQcgWw0kROVycwF5JDQpwV7NbCjE9heOerkoheme1dNGmtkHKKkRaKJUOZ
+iVxUiv9dHQDXdxt/Mc79gnbR5K5RZXynvBrZSeTNVHL9zqr5J8ajUgA5aFBpNEj
DTIW1qG2
=+L/7
-----END PGP SIGNATURE-----

Georges Racinet

unread,

Jul 2, 2015, 11:32:40 AM7/2/15

to salt-...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Florian,

On 07/02/2015 05:18 PM, Florian Ermisch wrote:
> Hi Georges,
>
> I have some states (not a state-module) for Ubuntu managing `/use/local/share/ca-certificates` with certs from pillar and running `update-ca-certificates`(?) on updates. Nothing too fancy.

for the record, as far as I know, that way of doing works for the whole Debian family.

>
> I think to way of managing the systemwide certificate store differs quiet a bit from OS to OS and distro to distro so starting a formula might be a good idea.

Ah yes, I didn't think of formulas, but indeed, it could be a good starting point, with the advantage of being transversal wrt Salt version.

Do you mind sharing your Ubuntu state as a starting point ?

Regards,

>
> Regards, Florian
>
> Am 2. Juli 2015 15:14:10 MESZ, schrieb Georges Racinet <grac...@anybox.fr>:
> > Hi there,
>
> > am I right to think that there is no state to manage the system-wide
> > trusted Certificates Authorities (CAs)
>
> > salt.modules.tls seems dedicated to the production of certificates, but
> > I couldn't find anything to tell a minion to trust or distrust a given
> > CA certificate.
>
> > Just wanted to check before I decide to write my own states for that.
>
> > Cheers,
>
> > --
> > Georges Racinet
> > Anybox SAS, http://anybox.fr
> > Téléphone: +33 6 51 32 07 27
> > GPG: 0x33AB0A35, sur serveurs publics
>
> > --
> > You received this message because you are subscribed to the Google
> > Groups "Salt-users" group.
> > To unsubscribe from this group and stop receiving emails from it, send
> > an email to salt-users+...@googlegroups.com.
> > For more options, visit https://groups.google.com/d/optout.
>

- --

Georges Racinet
Anybox SAS, http://anybox.fr
Téléphone: +33 6 51 32 07 27
GPG: 0x33AB0A35, sur serveurs publics

Florian Ermisch

unread,

Jul 2, 2015, 1:58:03 PM7/2/15

to salt-...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi Georges,

I'll ask my boss tomorrow but it shouldn't be an issue when you look at the OpenStack related salt-stuff I do on github ;)

But how should we call the formula?
I think the pkg containing all the root-CAs Mozilla distributes is "ca-certificates" on Ubuntu & FreeBSD but s/t like "trusted CAs" would be closer the the formula's goal…

Regards, Florian

Version: APG v1.1.1

iQFTBAEBCAA9BQJVlXufNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/avNCACBQRdkCUi/P9or
nN9nI7PAMvaYS/bFvJRImdsdddn0/K2E7kmN1opjssbwXAc0uOiyLCjURDwqJFxb
2+j2Ts8zNTe0ROid1tCSrLoJhl5VHup66wGSVipl+kRhz5cJPwU4KAEoRIM0YlIu
wSfMV1MeH02JN6w/OAPC7sCMd0LoDygCEqboEYT/CSLhrxOdT/ZT878PNsG5A7Er
B5kE/NrNCGm9qoSXp7wzOt20Q71Q0yrrS+On2LRw4Vy2fVJX1z2ObxNy0nWunVep
NbbzSXYFNoZYduDB8rEu6YTK5PrStiWuKZrzONpH/z3zdxCma7ibbdTboVhPP9gI
X1R2UiFB
=QF0k
-----END PGP SIGNATURE-----

Georges Racinet

unread,

Jul 2, 2015, 2:41:38 PM7/2/15

to salt-...@googlegroups.com

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

On 07/02/2015 07:57 PM, Florian Ermisch wrote:

> Hi Georges,
>

> I'll ask my boss tomorrow but it shouldn't be an issue when you look at the OpenStack related salt-stuff I do on github ;)

Indeed :-)

>
> But how should we call the formula?
> I think the pkg containing all the root-CAs Mozilla distributes is "ca-certificates" on Ubuntu & FreeBSD but s/t like "trusted CAs" would be closer the the formula's goal…

That later one sounds good to me and has the advantage of being distro agnostic.
I can test your formula on Debian and Ubuntu, and will try and start a version for the Red Hat family. Well, at least, I have a list of manual steps for Fedora, that's a start.

Cheers

Version: GnuPG v2

iQIcBAEBCAAGBQJVlYXaAAoJEMNPpRkzqwo1kD8QAIsDcNrrbCfHvuP2L4seJ00k
kRXKONgCFKBvHvXmXN/P7LzYfwlUSh2any/XxD2H5mfnEMHm7nNxwMaoRIL7SmE2
NEkENNXTcuTFo6pyrgaSBAdcfAe3wvSdPYuPruzGvTJjmdLnCvvW5STFdzUoDEWH
vvN3gb8y1EVw7TVCohmk59ymig8skfpJl89s9U0bn5xmlRfDMAfzbPc4SwOVF8LD
JpU3v114AP+seA6gwWK3J8IdKrIIo/hO+bUfoTbxXxjJjB4UxOMm/vsZyQTUj86H
XyhByXXxU5vZUowa30ppcxwHjFQMFH5js16j7mVy6WB8s9I+L5hf+dmBj3nN9zlf
y8arNU/Tmai7Do8dQwVsWVBpc7piLXTR8dUTzcmHJlWf8DkHC0ArS9WfV8G1eAgu
poM+kpnUq0fG/d475RQ3v22UeTX6644r3ParcgXLBfyvT4FnI1pE2R3jWSfC1asz
ffddMKykHlYZvrio8JpY7RyVF7TphDFH/9bWonmKe8KlVi+zAyQCd4PdV7CnirIi
udnMIR6sKJp660SWHJRRQ0FPQ0buZSRh5oXga54BflMnzSPU+JIDq4prZlVSL0FZ
pHs/HIntjTbU56aRUOQ4+MW+8lfOp+5lZvnhnQOVaWdbeV280K0+//JcXuePL5oM
pqutmFQpVX0PEsUWTNVm
=aMxd
-----END PGP SIGNATURE-----

Florian Ermisch

unread,

Jul 3, 2015, 7:41:17 AM7/3/15

to salt-...@googlegroups.com, Georges Racinet

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Here ya go:
https://github.com/0xf10e/trustedCAs-formula

I've made minor changes and will add some examples later.

Regards, Florian

Am 2. Juli 2015 20:41:30 MESZ, schrieb Georges Racinet <grac...@anybox.fr>:
>
>On 07/02/2015 07:57 PM, Florian Ermisch wrote:
>> Hi Georges,
>>
>> I'll ask my boss tomorrow but it shouldn't be an issue when you look
>at the OpenStack related salt-stuff I do on github ;)
>Indeed :-)
>>
>> But how should we call the formula?
>> I think the pkg containing all the root-CAs Mozilla distributes is
>> "ca-certificates" on Ubuntu & FreeBSD but s/t like "trusted CAs" would
>> be closer the the formula's goal…
>That later one sounds good to me and has the advantage of being distro
>agnostic.
>I can test your formula on Debian and Ubuntu, and will try and start a
>version for the Red Hat family. Well, at least, I have a list of manual
>steps for Fedora, that's a start.
>
>Cheers

-----BEGIN PGP SIGNATURE-----
Version: APG v1.1.1

iQFTBAEBCAA9BQJVlnTMNhxGbG9yaWFuIEVybWlzY2ggPGZsb3JpYW4uZXJtaXNj
aEBhbHVtbmkudHUtYmVybGluLmRlPgAKCRAu8tzCHoBI/RSxCACTeNch3xn5QZPO
IKQKlFkOx90pvnsC3pVaUlq/LUmSvm9mm2ALDl/AYsXP1DRD1I6c5rQInNLNbWjG
/LJtPGtp03RK/4NaWnQye5JIMEn/UAjCN8PAXlC3RElwN7DKG5dtnnXx9e748EtW
ayaosfMOw6kmQWBy9sWBRNeA/bPmDD2ncG2pqlkaRHKyY/IJ1WjJ92HULJrkMEhT
OY3DqaCfn4s63NLOHTIzVB76ou0AnAXXVP21DrExnugxW1lcanmFdgzp8lImxiEV
W5NESzytzrCB655RrqYCAU5rzgE37mKMwYA/QdbOGSRfgI59aWKxc8uLisY51Uvb
MrZZSO08
=+tvz
-----END PGP SIGNATURE-----

Reply all

Reply to author

Forward