From 41004de7ee1cdc54af403637fee8367c5248e026 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <adellam@sevenseas.org>
Date: Mon, 13 Jun 2016 16:55:25 +0200
Subject: [PATCH] library/roles/openvpn, library/roles/ubuntu-deb-general: The
 CA file that contains both the letsencrypt full chain and the INFN ca is now
 installed by the ubuntu-deb-general role.

---
 openvpn/tasks/openvpn.yml                                    | 5 -----
 .../files/infn-letsencrypt-ca.crt                            | 0
 ubuntu-deb-general/tasks/install_external_ca_cert.yml        | 3 +++
 ubuntu-deb-general/tasks/pki-basics.yml                      | 3 ---
 4 files changed, 3 insertions(+), 8 deletions(-)
 rename openvpn/files/ca.pem => ubuntu-deb-general/files/infn-letsencrypt-ca.crt (100%)

diff --git a/openvpn/tasks/openvpn.yml b/openvpn/tasks/openvpn.yml
index 341d462..a3935d0 100644
--- a/openvpn/tasks/openvpn.yml
+++ b/openvpn/tasks/openvpn.yml
@@ -52,11 +52,6 @@
     creates: '{{ openvpn_conf_dir }}/ta.key'
   tags: openvpn
 
-- name: Install the alternate CA file
-  copy: src=ca.pem dest={{ openvpn_conf_dir }}/{{ openvpn_alternative_ca_name }}
-  when: openvpn_install_alternative_ca
-  tags: openvpn
-
 - name: Ensure that the OpenVPN service is enabled and running
   service: name=openvpn state=started enabled=yes
   when: openvpn_enabled
diff --git a/openvpn/files/ca.pem b/ubuntu-deb-general/files/infn-letsencrypt-ca.crt
similarity index 100%
rename from openvpn/files/ca.pem
rename to ubuntu-deb-general/files/infn-letsencrypt-ca.crt
diff --git a/ubuntu-deb-general/tasks/install_external_ca_cert.yml b/ubuntu-deb-general/tasks/install_external_ca_cert.yml
index 7a4ac2d..a2ed6e3 100644
--- a/ubuntu-deb-general/tasks/install_external_ca_cert.yml
+++ b/ubuntu-deb-general/tasks/install_external_ca_cert.yml
@@ -6,3 +6,6 @@
   notify: Update the CA bundle list
   tags: ca
 
+- name: Install a CA file that contains both the letsencrypt complete chain and the INFN CA certs
+  copy: src=infn-letsencrypt-ca.crt dest={{ pki_dir }}/infn-letsencrypt-ca.crt
+  tags: ca
diff --git a/ubuntu-deb-general/tasks/pki-basics.yml b/ubuntu-deb-general/tasks/pki-basics.yml
index fd878c4..0f61970 100644
--- a/ubuntu-deb-general/tasks/pki-basics.yml
+++ b/ubuntu-deb-general/tasks/pki-basics.yml
@@ -25,9 +25,6 @@
     - letsencrypt_acme_user_home is defined
   tags: [ 'pki', 'ssl', 'letsencrypt' ]
 
-# 20160506121714 [WARN] fdb: "keys/fakeselfsignedcert" has wrong mode -rwxr-xr-x, changing to -rwx------
-# 20160506121714 [WARN] fdb: "keys/fakeselfsignedcert/privkey" has wrong mode -rw-r--r--, changing to -rw-------
-
 - name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key
   command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate'
   args: