@@ -19,17 +19,29 @@ OpenVox ships its own Ruby runtime with a vendored CA bundle compiled in at
1919and is what Ruby uses — not the OS trust store — when validating TLS certificates for
2020outbound connections such as gem downloads and ` puppet module install ` .
2121
22- ## Quick fix: append the CA to the bundle
22+ ## Quick fix: add the CA to the ` certs/ ` directory
2323
24- Appending your proxy CA to ` cert.pem ` works immediately and requires no additional
25- configuration :
24+ Copy your proxy CA into OpenVox's ` certs/ ` directory and run ` openssl rehash ` to generate
25+ the fingerprint symlinks that OpenSSL uses to look up certificates :
2626
2727``` console
28- cat /path/to/proxy-ca.pem >> /opt/puppetlabs/puppet/ssl/cert.pem
28+ cp /path/to/proxy-ca.pem /opt/puppetlabs/puppet/ssl/certs/proxy-ca.pem
29+ /opt/puppetlabs/puppet/bin/openssl rehash /opt/puppetlabs/puppet/ssl/certs/
2930```
3031
31- The downside is that ` cert.pem ` is owned by the ` openvox-agent ` package and may be
32- overwritten during upgrades, removing your CA and breaking the proxy again.
32+ This directory is OpenVox Ruby's ` DEFAULT_CERT_DIR ` and is included by ` set_default_paths `
33+ on every connection. The directory is empty by default — the ` openvox-agent ` package does
34+ not place any files there — so user-added files survive package upgrades.
35+
36+ > ** Note:** ` openssl rehash ` is not supported on Windows as of OpenVox 8. Use the
37+ > ` SSL_CERT_FILE ` approach below on Windows nodes.
38+
39+ If you prefer a one-liner that skips rehash, appending directly to ` cert.pem ` also works,
40+ but that file is replaced on upgrade:
41+
42+ ``` console
43+ cat /path/to/proxy-ca.pem >> /opt/puppetlabs/puppet/ssl/cert.pem
44+ ```
3345
3446## Persistent fix: ` ssl_trust_store ` (module downloads only)
3547
@@ -79,10 +91,41 @@ SSL_CERT_FILE=/etc/ssl/certs/puppet-custom-bundle.pem puppet agent -t
7991
8092## Managing with Puppet
8193
94+ ### ` certs/ ` + rehash (simplest)
95+
96+ Deploy the CA with a ` file ` resource and trigger ` openssl rehash ` on change:
97+
98+ ``` puppet
99+ file { '/opt/puppetlabs/puppet/ssl/certs/proxy-ca.pem':
100+ ensure => file,
101+ owner => 'root',
102+ group => 'root',
103+ mode => '0644',
104+ content => lookup('profile::proxy_ca_cert'),
105+ notify => Exec['rehash-puppet-ssl-certs'],
106+ }
107+
108+ exec { 'rehash-puppet-ssl-certs':
109+ command => '/opt/puppetlabs/puppet/bin/openssl rehash /opt/puppetlabs/puppet/ssl/certs/',
110+ refreshonly => true,
111+ }
112+ ```
113+
114+ Store the proxy CA certificate as a multiline string in Hiera:
115+
116+ ``` yaml
117+ profile::proxy_ca_cert : |
118+ -----BEGIN CERTIFICATE-----
119+ ...
120+ -----END CERTIFICATE-----
121+ ```
122+
123+ ### ` SSL_CERT_FILE ` merged bundle (covers gem installs on Windows or when rehash is unavailable)
124+
82125Use [ puppetlabs/concat] ( https://forge.puppet.com/modules/puppetlabs/concat ) to assemble
83- and maintain the merged bundle. The ` file:/// ` source scheme reads ` cert.pem ` directly from
84- the local filesystem at catalog apply time, so the bundle automatically picks up the fresh
85- Mozilla certs after an ` openvox-agent ` upgrade:
126+ the merged bundle. The ` file:/// ` source scheme reads ` cert.pem ` from the local filesystem
127+ at catalog apply time, so the bundle automatically picks up fresh Mozilla certs after an
128+ ` openvox-agent ` upgrade:
86129
87130``` puppet
88131concat { '/etc/ssl/certs/puppet-custom-bundle.pem':
@@ -119,18 +162,6 @@ exec { 'systemd-daemon-reload':
119162}
120163```
121164
122- Store the proxy CA certificate as a multiline string in Hiera:
123-
124- ``` yaml
125- profile::proxy_ca_cert : |
126- -----BEGIN CERTIFICATE-----
127- ...
128- -----END CERTIFICATE-----
129- ```
130-
131- Because ` concat::fragment ` reads ` cert.pem ` on every Puppet run, the merged bundle stays
132- current after upgrades with no additional steps.
133-
134165## Verifying the configuration
135166
136167Confirm Ruby can reach an intercepted host:
0 commit comments