From 1f1b9da10d2f5a047a1d546a34e10539eb426e0a Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Fri, 3 Oct 2025 16:28:22 +0100 Subject: [PATCH 1/8] add switch to remove duplicates immediately --- manifests/from_pem.pp | 12 +++++++++++- templates/remove_expired_certs.ps1.erb | 6 +++++- 2 files changed, 16 insertions(+), 2 deletions(-) diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp index ceb5ad3..0c3e370 100644 --- a/manifests/from_pem.pp +++ b/manifests/from_pem.pp @@ -20,7 +20,8 @@ String $key_content, String $store = 'LocalMachine\My', Boolean $exportable = false, - Boolean $remove_expired_certs = true + Boolean $remove_expired_certs = true, + Boolean $remove_immediately = false ) { require sslcertificate::openssl @@ -45,4 +46,13 @@ logoutput => true, } } + + if $remove_expired_certs { + exec { "${title}_RemoveExpiredCerts": + provider => 'powershell', + command => template('sslcertificate/remove_expired_certs.ps1.erb'), + onlyif => template('sslcertificate/should_remove_expired_certs.ps1.erb'), + logoutput => true, + } + } } diff --git a/templates/remove_expired_certs.ps1.erb b/templates/remove_expired_certs.ps1.erb index 11ff154..b33bc79 100644 --- a/templates/remove_expired_certs.ps1.erb +++ b/templates/remove_expired_certs.ps1.erb @@ -9,7 +9,11 @@ function Get-CertName($certificate) { $cert_cn = Get-CertName $cert function Test-ShouldBeRemoved($certificate) { - ($certificate.NotAfter -lt ((get-date).AddDays(-30))) -and (Get-CertName $certificate) -eq $cert_cn + if(<%= @remove_immediately %>) { + ($certificate.NotAfter -ne $cert.NotAfter) -and (Get-CertName $certificate) -eq $cert_cn + } else { + ($certificate.NotAfter -lt ((get-date).AddDays(-30))) -and (Get-CertName $certificate) -eq $cert_cn + } } Get-ChildItem Cert:\<%= @store %> | Where-Object { Test-ShouldBeRemoved $_ } | Remove-Item -Verbose From a28eb695fd6dbe3b2cbe4485af82da149facd048 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Mon, 6 Oct 2025 15:38:39 +0100 Subject: [PATCH 2/8] Update from_pem.pp --- manifests/from_pem.pp | 9 --------- 1 file changed, 9 deletions(-) diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp index 0c3e370..8a172e7 100644 --- a/manifests/from_pem.pp +++ b/manifests/from_pem.pp @@ -46,13 +46,4 @@ logoutput => true, } } - - if $remove_expired_certs { - exec { "${title}_RemoveExpiredCerts": - provider => 'powershell', - command => template('sslcertificate/remove_expired_certs.ps1.erb'), - onlyif => template('sslcertificate/should_remove_expired_certs.ps1.erb'), - logoutput => true, - } - } } From bb5d93a9bf4560280553ef4e254d97784c7b9ef1 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Tue, 7 Oct 2025 10:33:00 +0100 Subject: [PATCH 3/8] re-work to just compare cert expiry to date, and use an integer instead of a second parameter. --- manifests/from_pem.pp | 5 ++--- templates/remove_expired_certs.ps1.erb | 6 +----- 2 files changed, 3 insertions(+), 8 deletions(-) diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp index 8a172e7..5e84912 100644 --- a/manifests/from_pem.pp +++ b/manifests/from_pem.pp @@ -20,8 +20,7 @@ String $key_content, String $store = 'LocalMachine\My', Boolean $exportable = false, - Boolean $remove_expired_certs = true, - Boolean $remove_immediately = false + Integer $remove_expired_certs_after = 30, # Days, default of 30, to keep the behaviour the same, option to set to 0 for immediate removal. ) { require sslcertificate::openssl @@ -38,7 +37,7 @@ logoutput => true, } - if $remove_expired_certs { + if $remove_expired_certs_after { exec { "${title}_RemoveExpiredCerts": provider => 'powershell', command => template('sslcertificate/remove_expired_certs.ps1.erb'), diff --git a/templates/remove_expired_certs.ps1.erb b/templates/remove_expired_certs.ps1.erb index b33bc79..1e9863f 100644 --- a/templates/remove_expired_certs.ps1.erb +++ b/templates/remove_expired_certs.ps1.erb @@ -9,11 +9,7 @@ function Get-CertName($certificate) { $cert_cn = Get-CertName $cert function Test-ShouldBeRemoved($certificate) { - if(<%= @remove_immediately %>) { - ($certificate.NotAfter -ne $cert.NotAfter) -and (Get-CertName $certificate) -eq $cert_cn - } else { - ($certificate.NotAfter -lt ((get-date).AddDays(-30))) -and (Get-CertName $certificate) -eq $cert_cn - } + ($certificate.NotAfter -lt ((get-date).AddDays(-<%= @remove_expired_certs_after %>))) -and (Get-CertName $certificate) -eq $cert_cn } Get-ChildItem Cert:\<%= @store %> | Where-Object { Test-ShouldBeRemoved $_ } | Remove-Item -Verbose From 5d294456b9f2cb959fcef14b06655059e6a1c503 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Tue, 7 Oct 2025 10:56:58 +0100 Subject: [PATCH 4/8] tweak to allow us to not remove certs if we ever wanted to. --- manifests/from_pem.pp | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp index 5e84912..a413c33 100644 --- a/manifests/from_pem.pp +++ b/manifests/from_pem.pp @@ -20,7 +20,8 @@ String $key_content, String $store = 'LocalMachine\My', Boolean $exportable = false, - Integer $remove_expired_certs_after = 30, # Days, default of 30, to keep the behaviour the same, option to set to 0 for immediate removal. + Optional[Integer] $remove_expired_certs_after = 30, # Days, + # Default of "30", to keep the behaviour the same, "0" for immediate removal, "undef" to not remove. ) { require sslcertificate::openssl From 3816ea97a2d69652b1d35a340a67059704415e54 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Fri, 10 Oct 2025 10:48:55 +0100 Subject: [PATCH 5/8] tweak logic to handle negative numbers --- templates/remove_expired_certs.ps1.erb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/remove_expired_certs.ps1.erb b/templates/remove_expired_certs.ps1.erb index 1e9863f..10c681d 100644 --- a/templates/remove_expired_certs.ps1.erb +++ b/templates/remove_expired_certs.ps1.erb @@ -9,7 +9,7 @@ function Get-CertName($certificate) { $cert_cn = Get-CertName $cert function Test-ShouldBeRemoved($certificate) { - ($certificate.NotAfter -lt ((get-date).AddDays(-<%= @remove_expired_certs_after %>))) -and (Get-CertName $certificate) -eq $cert_cn + ($certificate.NotAfter -lt ((get-date).AddDays(-1 * <%= @remove_expired_certs_after %>))) -and (Get-CertName $certificate) -eq $cert_cn } Get-ChildItem Cert:\<%= @store %> | Where-Object { Test-ShouldBeRemoved $_ } | Remove-Item -Verbose From 3c01adf9209d11fc3481def0daa84ec6323ef506 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Fri, 10 Oct 2025 10:50:11 +0100 Subject: [PATCH 6/8] suggest -1 rather than 0, to avoid a small period with the expired cert. --- manifests/from_pem.pp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/manifests/from_pem.pp b/manifests/from_pem.pp index a413c33..d62c7fd 100644 --- a/manifests/from_pem.pp +++ b/manifests/from_pem.pp @@ -21,7 +21,7 @@ String $store = 'LocalMachine\My', Boolean $exportable = false, Optional[Integer] $remove_expired_certs_after = 30, # Days, - # Default of "30", to keep the behaviour the same, "0" for immediate removal, "undef" to not remove. + # Default of "30", to keep the behaviour the same, "-1" for immediate removal, "undef" to not remove. ) { require sslcertificate::openssl From 20a98839e669ebfa32353ca758a2fc05b27f2edc Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Fri, 10 Oct 2025 14:18:16 +0100 Subject: [PATCH 7/8] pin test-kitchen to 3.8.0 --- Gemfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Gemfile b/Gemfile index e40f624..a3e7745 100644 --- a/Gemfile +++ b/Gemfile @@ -2,7 +2,7 @@ source 'https://rubygems.org' gem 'puppet-lint' -gem 'test-kitchen' +gem 'test-kitchen', '< 3.8.0' # pin to pre 3.8.0 which introduced a change to how it uploads files which breaks ssh_tgz upload in the kitchen-zip module gem 'kitchen-puppet', '>= 3.6.0' gem 'kitchen-vagrant' gem 'kitchen-zip', :git => 'https://github.com/red-gate/kitchen-zip', :branch => 'master' From 0f3325a4dc96ffc016bb488189b4fe1b080983f3 Mon Sep 17 00:00:00 2001 From: andrew-davison Date: Fri, 10 Oct 2025 14:56:49 +0100 Subject: [PATCH 8/8] drop 2012r2 tests --- .kitchen.yml | 9 --------- 1 file changed, 9 deletions(-) diff --git a/.kitchen.yml b/.kitchen.yml index 8fccf8c..f0eef02 100644 --- a/.kitchen.yml +++ b/.kitchen.yml @@ -65,15 +65,6 @@ platforms: transport: name: winrm winrm_transport: plaintext - - name: windows-2012r2 - driver_plugin: vagrant - driver_config: - box: red-gate/windows-2012r2 - provisioner: - puppet_version: "6.28.0" - transport: - name: winrm - winrm_transport: plaintext suites: - name: windows_tests