From 08d23169f1d7834d38b059d6d9aa1f84490ff835 Mon Sep 17 00:00:00 2001
From: Thomas Bellman <bellman@nsc.liu.se>
Date: Mon, 14 Apr 2014 18:18:17 +0200
Subject: [PATCH] Add class for restarting Apache every night.

Restarting Apache regularly is needed as a workaround for Apache not
re-reading certificate revocation lists (CRLs); the only way to get
Apache to pick up changes to those, is to restart Apache.  If you do
not do so, Apache will just let the loaded CRLs expire and start to
refuse client certificates issued by those CAs.
---
 manifests/init.pp | 26 ++++++++++++++++++++++++++
 1 file changed, 26 insertions(+)

diff --git a/manifests/init.pp b/manifests/init.pp
index 7913c00..83e8d67 100644
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -58,6 +58,32 @@ class apache::base
 
 
 
+/*
+ * Cause the Apache httpd to be restarted daily.
+ *
+ * One case when this is needed, is when using authentication using client
+ * certificates.  Apache is unable to re-read certificate revokation lists
+ * while running.  The only way to avoid the loaded CRLs expiring, thus
+ * causing client certificates to be declared invalid, seem to be to
+ * restart Apache.
+ */
+class apache::daily_restart
+{
+    # This tries to only generate output (mailed to root by Cron) if
+    # the restart fails.  And it will not try to start Apache if it is
+    # not running.
+    $restart = '/sbin/service httpd status >/dev/null 2>&1 && (o=`/usr/sbin/apachectl graceful 2>&1` || echo "$o" >&2)'
+
+    cron {
+	'apache::daily_restart':
+	    command => $restart,
+	    month => '*', monthday => '*', weekday => '*',
+	    hour => '5', minute => '30';
+    }
+}
+
+
+
 /*
  * Helper class for abstracting dependencies on the Apache service.
  * This is so others can do e.g. notify => Class[apache::service] instead
-- 
GitLab