7 files changed, 30 insertions, 14 deletions

diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp
index 3e914cf5..0f313898 100644
--- a/puppet/modules/site_config/manifests/x509/client_ca.pp
+++ b/puppet/modules/site_config/manifests/x509/client_ca/ca.pp
@@ -1,14 +1,14 @@
-class site_config::x509::client_ca {
+class site_config::x509::client_ca::ca {
 
   ##
   ## This is for the special CA that is used exclusively for generating
   ## client certificates by the webapp.
   ##
 
-  $x509      = hiera('x509')
-  $client_ca = $x509['client_ca_cert']
+  $x509 = hiera('x509')
+  $cert = $x509['client_ca_cert']
 
   x509::ca { $site_config::params::client_ca_name:
-    content => $client_ca
+    content => $cert
   }
 }
diff --git a/puppet/modules/site_config/manifests/x509/client_ca/key.pp b/puppet/modules/site_config/manifests/x509/client_ca/key.pp
new file mode 100644
index 00000000..f9ef3f52
--- /dev/null
+++ b/puppet/modules/site_config/manifests/x509/client_ca/key.pp
@@ -0,0 +1,14 @@
+class site_config::x509::client_ca::key {
+
+  ##
+  ## This is for the special CA that is used exclusively for generating
+  ## client certificates by the webapp.
+  ##
+
+  $x509 = hiera('x509')
+  $key  = $x509['client_ca_key']
+
+  x509::key { $site_config::params::client_ca_name:
+    content => $key
+  }
+}
diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp
index 52c5f1d6..cdb84b54 100644
--- a/puppet/modules/site_mx/manifests/init.pp
+++ b/puppet/modules/site_mx/manifests/init.pp
@@ -5,7 +5,8 @@ class site_mx {
   include site_config::x509::cert
   include site_config::x509::key
   include site_config::x509::ca
-  include site_config::x509::client_ca
+  include site_config::x509::client_ca::ca
+  include site_config::x509::client_ca::key
 
 
   include site_postfix::mx
diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp
index d56b526f..abc0ab46 100644
--- a/puppet/modules/site_postfix/manifests/mx.pp
+++ b/puppet/modules/site_postfix/manifests/mx.pp
@@ -10,7 +10,8 @@ class site_postfix::mx {
 
   include site_config::x509::cert
   include site_config::x509::key
-  include site_config::x509::client_ca
+  include site_config::x509::client_ca::ca
+  include site_config::x509::client_ca::key
 
   postfix::config {
     'mydestination':
@@ -51,7 +52,8 @@ submission inet n        -       n       -       -       smtpd
     require             => [
       Class['Site_config::X509::Key'],
       Class['Site_config::X509::Cert'],
-      Class['Site_config::X509::Client_ca'],
+      Class['Site_config::X509::Client_ca::Key'],
+      Class['Site_config::X509::Client_ca::Ca'],
       User['vmail'] ]
   }
 }
diff --git a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
index ab75130e..afa70527 100644
--- a/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
+++ b/puppet/modules/site_postfix/manifests/mx/smtp_auth.pp
@@ -1,10 +1,6 @@
 class site_postfix::mx::smtp_auth {
-  $x509 = hiera('x509')
 
   postfix::config {
-    'smtpd_tls_cert_file': value => $x509['client_ca_cert'];
-    'smtpd_tls_key_file':  value => $x509['client_ca_key'];
     'smtpd_tls_ask_ccert': value => 'yes';
-    #'smtpd_tls_CAfile':    value =>
   }
 }
diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp
index e630875c..c85a5ddc 100644
--- a/puppet/modules/site_webapp/manifests/init.pp
+++ b/puppet/modules/site_webapp/manifests/init.pp
@@ -17,8 +17,11 @@ class site_webapp {
   include site_webapp::apache
   include site_webapp::couchdb
   include site_webapp::haproxy
-  include site_config::x509::cert_key
+  include site_config::x509::cert
+  include site_config::x509::key
   include site_config::x509::ca
+  include site_config::x509::client_ca::ca
+  include site_config::x509::client_ca::key
 
   group { 'leap-webapp':
     ensure    => present,
diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb
index 0ce623fc..6b45abc2 100644
--- a/puppet/modules/site_webapp/templates/config.yml.erb
+++ b/puppet/modules/site_webapp/templates/config.yml.erb
@@ -3,8 +3,8 @@ production:
   admins: <%= @webapp['admins'].inspect %>
   domain: <%= @provider_domain %>
   force_ssl: <%= @webapp['secure'] %>
-  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key
-  client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt
+  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.key
+  client_ca_cert: <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::client_ca_name') %>.crt
   secret_token: "<%= @secret_token %>"
   client_cert_lifespan: <%= cert_options['life_span'].to_i %>
   client_cert_bit_size: <%= cert_options['bit_size'].to_i %>