update-ca-trust check is not a thing on EL7

[alexjfisher]

The enable_ca_trust resource actually updates the cacerts on every puppet run on EL7 systems.

The resource uses unless => update-ca-trust check | grep DISABLED here

update-ca-trust check isn't a thing on EL7 and all arguments are silently ignored. The command is a really simple bash script. (The EL6 version is much more complicated.)

[root@host~]# cat `which update-ca-trust`
#!/bin/sh

#set -vx

# At this time, while this script is trivial, we ignore any parameters given.
# However, for backwards compatibility reasons, future versions of this script must
# support the syntax "update-ca-trust extract" trigger the generation of output
# files in $DEST.

DEST=/etc/pki/ca-trust/extracted

# OpenSSL PEM bundle that includes trust flags
# (BEGIN TRUSTED CERTIFICATE)
/usr/bin/p11-kit extract --comment --format=openssl-bundle --filter=certificates --overwrite $DEST/openssl/ca-bundle.trust.crt
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose server-auth $DEST/pem/tls-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose email $DEST/pem/email-ca-bundle.pem
/usr/bin/p11-kit extract --comment --format=pem-bundle --filter=ca-anchors --overwrite --purpose code-signing $DEST/pem/objsign-ca-bundle.pem
/usr/bin/p11-kit extract --format=java-cacerts --filter=ca-anchors --overwrite --purpose server-auth $DEST/java/cacerts
[root@host ~]#

The end result is that on every puppet run the cacerts file is silently regenerated. This is quite annoying if you're using a file integrity tool like tripwire/ossec etc.

[pcfens]

Fixed by #40