Explicitly trust old Verisign 1024 bit root
authorTom Hughes <tom@compton.nu>
Wed, 21 Jan 2015 00:39:07 +0000 (00:39 +0000)
committerTom Hughes <tom@compton.nu>
Wed, 21 Jan 2015 00:53:36 +0000 (00:53 +0000)
Unfortunately S3 sends an unnecessary intermediate certificate
that is signed by this old root. They also send another one signed
by a newer root, but OpenSSL is not currently able to work out
that it should use that path instead of the one to the old root:

https://bugzilla.mozilla.org/show_bug.cgi?id=986005

cookbooks/chef/recipes/default.rb
cookbooks/chef/templates/default/verisign.pem.erb [new file with mode: 0644]

index 902eab1..b440d85 100644 (file)
@@ -96,6 +96,19 @@ template "/etc/logrotate.d/chef" do
   mode 0644
 end
 
+directory "/etc/chef/trusted_certs" do
+  owner "root"
+  group "root"
+  mode 0755
+end
+
+template "/etc/chef/trusted_certs/verisign.pem" do
+  source "verisign.pem.erb"
+  owner "root"
+  group "root"
+  mode 0644
+end
+
 directory "/etc/chef/ohai" do
   owner "root"
   group "root"
diff --git a/cookbooks/chef/templates/default/verisign.pem.erb b/cookbooks/chef/templates/default/verisign.pem.erb
new file mode 100644 (file)
index 0000000..d209ab6
--- /dev/null
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
+2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
+2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
+-----END CERTIFICATE-----