diff --git a/ext/debian/puppetmaster-passenger.postinst b/ext/debian/puppetmaster-passenger.postinst
index 608ad409d..8b9a54638 100644
--- a/ext/debian/puppetmaster-passenger.postinst
+++ b/ext/debian/puppetmaster-passenger.postinst
@@ -1,130 +1,134 @@
#!/bin/sh
set -e
sitename="puppetmaster"
apache2_version="$(dpkg-query --showformat='${Version}\n' --show apache2)"
# The debian provided a2* utils in Apache 2.4 uses "site name" as
# argument, while the version in Apache 2.2 uses "file name".
#
# For added fun, the Apache 2.4 version requires files to have a
# ".conf" suffix, but this must be stripped when using it as argument
# for the a2* utilities.
#
# This will end in tears…
# Can be removed when we only support apache >= 2.4
apache2_puppetmaster_sitename() {
if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
echo "${sitename}.conf"
else
echo "${sitename}"
fi
}
# Can be removed when we only support apache >= 2.4
restart_apache2() {
if [ -x "/etc/init.d/apache2" ]; then
# Seems that a restart is needed. reload breaks ssl apparently.
if [ -x "`which invoke-rc.d 2>/dev/null`" ]; then
invoke-rc.d apache2 restart || exit $?
else
/etc/init.d/apache2 restart || exit $?
fi
fi
}
# We may need to update the passenger directives in the apache vhost because
# RailsAutoDetect and RackAutoDetect were removed in passenger 4.0.0
# see http://www.modrails.com/documentation/Users%20guide%20Apache.html#_railsautodetect_rackautodetect_and_wsgiautodetect
update_vhost_for_passenger4() {
# Get passenger version from dpkg.
# This will end in tears…
passenger_version="$(dpkg-query --showformat='${Version}\n' --show libapache2-mod-passenger)"
if dpkg --compare-versions "$passenger_version" gt "4.0~"; then
sed -r -i \
-e "/RailsAutoDetect/d" \
-e "/RackAutoDetect/d" \
$tempfile
fi
}
# In Apache 2.2, if either the SSLCARevocationFile or SSLCARevocationPath
# directives were specified then the specified file(s) would be checked when
# establishing an SSL connection. Apache 2.4+ the SSLCARevocationCheck directive
# was added to control how CRLs were checked when verifying a connection and had
# a default value of none. This means that Apache defaults to ignoring CRLs even
# if paths are specified to CRL files.
#
# This function automatically uncomments the SSLCARevocationCheck directive when
# the currently installed version of Apache is 2.4.
update_vhost_for_apache24() {
if dpkg --compare-versions "$apache2_version" gt "2.4~"; then
sed -r -i \
-e "/# SSLCARevocationCheck/s/# //" \
$tempfile
fi
}
+create_initial_puppetmaster_vhost() {
+ # Check that puppet master --configprint works properly
+ # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
+ if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
+ echo "Puppet config print not working properly, exiting"
+ exit 1
+ fi
+
+ # Initialize puppetmaster CA and generate the master certificate
+ # only if the host doesn't already have any puppet ssl certificate.
+ # The ssl key and cert need to be available (eg generated) before
+ # apache2 is configured and started since apache2 ssl configuration
+ # uses the puppetmaster ssl files.
+ if [ ! -e "$(puppet master --configprint hostcert)" ]; then
+ puppet cert generate $(puppet master --configprint certname)
+ fi
+
+ # Setup apache2 configuration files
+ APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
+ if [ ! -e "${APACHE2_SITE_FILE}" ]; then
+ tempfile=$(mktemp)
+ sed -r \
+ -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
+ -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
+ -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+ -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
+ -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
+ -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
+ -e "s|||" \
+ /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
+ update_vhost_for_passenger4
+ update_vhost_for_apache24
+ mv $tempfile "${APACHE2_SITE_FILE}"
+ fi
+
+ # Enable needed modules
+ a2enmod ssl
+ a2enmod headers
+ a2ensite ${sitename}
+ restart_apache2
+}
+
if [ "$1" = "configure" ]; then
# Change the owner of the rack config.ru to be the puppet user
# because passenger will suid to that user, see #577366
if ! dpkg-statoverride --list /usr/share/puppet/rack/puppetmasterd/config.ru >/dev/null 2>&1
then
dpkg-statoverride --update --add puppet puppet 0644 /usr/share/puppet/rack/puppetmasterd/config.ru
fi
- # Setup passenger configuration
- if [ "$2" = "" ]; then
-
- # Check that puppet master --configprint works properly
- # If it doesn't the following steps to update the vhost will produce a very unhelpful and broken vhost
- if [ $(puppet master --configprint all 2>&1 | grep "Could not parse" | wc -l) != "0" ]; then
- echo "Puppet config print not working properly, exiting"
- exit 1
- fi
-
- # Initialize puppetmaster CA and generate the master certificate
- # only if the host doesn't already have any puppet ssl certificate.
- # The ssl key and cert need to be available (eg generated) before
- # apache2 is configured and started since apache2 ssl configuration
- # uses the puppetmaster ssl files.
- if [ ! -e "$(puppet master --configprint hostcert)" ]; then
- puppet cert generate $(puppet master --configprint certname)
- fi
-
- # Setup apache2 configuration files
- APACHE2_SITE_FILE="/etc/apache2/sites-available/$(apache2_puppetmaster_sitename)"
- if [ ! -e "${APACHE2_SITE_FILE}" ]; then
- tempfile=$(mktemp)
- sed -r \
- -e "s|(SSLCertificateFile\s+).+$|\1$(puppet master --configprint hostcert)|" \
- -e "s|(SSLCertificateKeyFile\s+).+$|\1$(puppet master --configprint hostprivkey)|" \
- -e "s|(SSLCACertificateFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
- -e "s|(SSLCertificateChainFile\s+).+$|\1$(puppet master --configprint localcacert)|" \
- -e "s|(SSLCARevocationFile\s+).+$|\1$(puppet master --configprint cacrl)|" \
- -e "s|DocumentRoot /etc/puppet/rack/public|DocumentRoot /usr/share/puppet/rack/puppetmasterd/public|" \
- -e "s|||" \
- /usr/share/puppetmaster-passenger/apache2.site.conf.tmpl > $tempfile
- update_vhost_for_passenger4
- update_vhost_for_apache24
- mv $tempfile "${APACHE2_SITE_FILE}"
- fi
- # Enable needed modules
- a2enmod ssl
- a2enmod headers
- a2ensite ${sitename}
- restart_apache2
+ # Setup puppetmaster passenger vhost
+ if [ "$2" = "" ]; then
+ create_initial_puppetmaster_vhost
fi
# Fix CRL file on upgrade to use the CA crl file instead of the host crl.
if dpkg --compare-versions "$2" lt-nl "2.6.1-1"; then
if [ -e /etc/apache2/sites-available/puppetmaster ]; then
sed -r -i 's|SSLCARevocationFile[[:space:]]+/var/lib/puppet/ssl/crl.pem$|SSLCARevocationFile /var/lib/puppet/ssl/ca/ca_crl.pem|' /etc/apache2/sites-available/puppetmaster
restart_apache2
fi
fi
fi
#DEBHELPER#