Update group owner and perms for certs/keys

The ssl-cert group which normally owns files under /etc/ssl is created by a dependency of the apache module, but we need to create files there before that service is started. Break the cycle by just relying on the root group instead. Also update permission modes on these files to reflect sensible systems administration practices (read/write by root, readable by everyone except for the key file which is inaccessible for others). Change-Id: Ia76a344e5b4d3d7acdf0980ed7f951f8d5199052
2016-05-23 15:36:35 +00:00 · 2016-05-23 15:36:35 +00:00 · 1d78addd24
parent 762bed13d4
commit 1d78addd24
1 changed files with 6 additions and 6 deletions
--- a/manifests/cert.pp
+++ b/manifests/cert.pp
@ -33,8 +33,8 @@ class storyboard::cert (
  if $ssl_cert_content != undef {
    file { $ssl_cert:
      owner   => 'root',
-      group   => 'ssl-cert',
-      mode    => '0640',
+      group   => 'root',
+      mode    => '0644',
      content => $ssl_cert_content,
      before  => Class['storyboard::application'],
      notify  => Class['storyboard::application'],
@ -44,8 +44,8 @@ class storyboard::cert (
  if $ssl_key_content != undef {
    file { $ssl_key:
      owner   => 'root',
-      group   => 'ssl-cert',
-      mode    => '0640',
+      group   => 'root',
+      mode    => '0600',
      content => $ssl_key_content,
      before  => Class['storyboard::application'],
      notify  => Class['storyboard::application'],
@ -63,8 +63,8 @@ class storyboard::cert (
  if $ssl_ca_content != undef {
    file { $resolved_ssl_ca:
      owner   => 'root',
-      group   => 'ssl-cert',
-      mode    => '0640',
+      group   => 'root',
+      mode    => '0644',
      content => $ssl_ca_content,
      before  => Class['storyboard::application'],
      notify  => Class['storyboard::application'],