From 74c2316a8d5cb85c0e7d5a31e661ce8fcd812512 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Wed, 21 Jan 2015 00:39:07 +0000
Subject: [PATCH] Explicitly trust old Verisign 1024 bit root

Unfortunately S3 sends an unnecessary intermediate certificate
that is signed by this old root. They also send another one signed
by a newer root, but OpenSSL is not currently able to work out
that it should use that path instead of the one to the old root:

https://bugzilla.mozilla.org/show_bug.cgi?id=986005
---
 cookbooks/chef/recipes/default.rb                 | 13 +++++++++++++
 cookbooks/chef/templates/default/verisign.pem.erb | 14 ++++++++++++++
 2 files changed, 27 insertions(+)
 create mode 100644 cookbooks/chef/templates/default/verisign.pem.erb

diff --git a/cookbooks/chef/recipes/default.rb b/cookbooks/chef/recipes/default.rb
index 902eab14a..b440d85e9 100644
--- a/cookbooks/chef/recipes/default.rb
+++ b/cookbooks/chef/recipes/default.rb
@@ -96,6 +96,19 @@ template "/etc/logrotate.d/chef" do
   mode 0644
 end
 
+directory "/etc/chef/trusted_certs" do
+  owner "root"
+  group "root"
+  mode 0755
+end
+
+template "/etc/chef/trusted_certs/verisign.pem" do
+  source "verisign.pem.erb"
+  owner "root"
+  group "root"
+  mode 0644
+end
+
 directory "/etc/chef/ohai" do
   owner "root"
   group "root"
diff --git a/cookbooks/chef/templates/default/verisign.pem.erb b/cookbooks/chef/templates/default/verisign.pem.erb
new file mode 100644
index 000000000..d209ab6f8
--- /dev/null
+++ b/cookbooks/chef/templates/default/verisign.pem.erb
@@ -0,0 +1,14 @@
+-----BEGIN CERTIFICATE-----
+MIICPDCCAaUCEDyRMcsf9tAbDpq40ES/Er4wDQYJKoZIhvcNAQEFBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMjIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBBQUAA4GBABByUqkFFBkyCEHwxWsKzH4PIRnN5GfcX6kb5sroc50i
+2JhucwNhkcV8sEVAbkSdjbCxlnRhLQ2pRdKkkirWmnWXbj9T/UWZYB2oK0z5XqcJ
+2HUw19JlYD1n1khVdWk/kfVIC0dpImmClr7JyDiGSnoscxlIaU5rfGW/D/xwzoiQ
+-----END CERTIFICATE-----
-- 
2.43.2