From dd69adc9827fae3b7294a98c31cc45b44c8fc30b Mon Sep 17 00:00:00 2001
From: Thomas Mueller <mueller@puzzle.ch>
Date: Fri, 24 Oct 2014 14:02:20 +0200
Subject: [PATCH] (MODULES-1457) apache::vhost: SSLCACertificatePath can't be
 unset

The SSLCACertificatePath is always set. The check for @ssl_certs_dir only
covers "undef". As there is a default value in ::apache::params for
ssl_certs_dir it needs to be overriden with an empty string.

Right now the _ssl.erb template outputs 'SSLCACertificatePath ""' for an empty
string, which triggers a failing reload of httpd.

This patch just adds a "&& @ssl_certs_dir != ''" to the condition.

On a Puppet master passenger vhost it's probably  security relevant setting,
as it enables all system CA signed certificates access.

Related patch: https://github.com/puppetlabs/puppetlabs-apache/pull/787
---
 templates/vhost/_ssl.erb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/templates/vhost/_ssl.erb b/templates/vhost/_ssl.erb
index 70213f48c..516992558 100644
--- a/templates/vhost/_ssl.erb
+++ b/templates/vhost/_ssl.erb
@@ -7,7 +7,7 @@
   <%- if @ssl_chain -%>
   SSLCertificateChainFile "<%= @ssl_chain %>"
   <%- end -%>
-  <%- if @ssl_certs_dir -%>
+  <%- if @ssl_certs_dir && @ssl_certs_dir != '' -%>
   SSLCACertificatePath    "<%= @ssl_certs_dir %>"
   <%- end -%>
   <%- if @ssl_ca -%>