Enable force update for RedHat update-ca-trust command.

[mmarseglia]

If the user has made changes to the classic configuration files this will discard those changes and forcefully switch to most recent set of standard CA certificates and trust.

[pcfens]

Thanks for this - I'm not a RH user normally, so it sounds like this might change the behavior a little bit, possibly breaking things if this behavior isn't expected.

If that's the case, should this type of change be a force parameter? Apologies if I'm way off and don't completely understand how RH manages CAs.

[mmarseglia]

Thanks, I had to read through the man page several times because I'm a bit new to managing CAs certs.

CA information changes locations but the legacy config was kept. The new and legacy config can be consolidated using the update-ca-trust enable. It checks for modifications to the legacy config and aborts if it was modified. update-ca-trust force-enable creates backups of the legacy config, removes it, and creates symlinks to the new config.

This puppet module runs update-ca-trust enable to ensure legacy apps use the new CA cert placed in /etc/pki/ca-trust/source/anchors. If update-ca-trust enable isn't run then the new CA cert isn't visible to legacy apps.

I expect the module to disregard local modifications and force the change. Otherwise something other than Puppet could modify the legacy config. Bumping this module's version to 2.x would signal a breaking change.

Reference CentOS man page for update-ca-trust https://www.schloss.io/docsrv/man/centos6.5/man8/update-ca-trust.8/

[pcfens]

Thanks for the full explanation.

Rather than discontinue other bugfixes and enhancements for everyone that doesn't want to enforce such a change (I don't have time to maintain a 1.x and 2.x tree), could we move the enable vs. force-enable switch to a new class parameter?

[timmooney]

For a little more background, the "Shared System Certificate Authority" was added at RHEL 6.5. See:

ca-certificates in RHEL 6.5

Because it was already several point releases into RHEL 6, it was not enabled by default. Enabling it replaces the previous consolidated bundle of CAs, which may have been manually updated since that was the generally-used method for adding a CA for all versions up through RHEL 6.4.

In RHEL 7, update-ca-trust is enabled by default and the legacy compatbility bundle is just a symlink to the generated bundle.

This also means you shouldn't expect that update-ca-trust is present on RHEL (or CentOS/OracleLinux/ScientificLinux/etc.) before 6.5.

[sudodevnull]

added force-enable swtich. #45

[pcfens]

Closing since this was taken care of in #45 (Thanks @sudodevnull)