Add class for restarting Apache every night.

Restarting Apache regularly is needed as a workaround for Apache not re-reading certificate revocation lists (CRLs); the only way to get Apache to pick up changes to those, is to restart Apache. If you do not do so, Apache will just let the loaded CRLs expire and start to refuse client certificates issued by those CAs.

Add class for restarting Apache every night.
08d23169 · Thomas Bellman · bdce45ad · 08d23169
Commit 08d23169 authored 11 years ago by Thomas Bellman
--- a/manifests/init.pp
+++ b/manifests/init.pp
@@ -58,6 +58,32 @@ class apache::base
+/*
+ * Cause the Apache httpd to be restarted daily.
+ *
+ * One case when this is needed, is when using authentication using client
+ * certificates.  Apache is unable to re-read certificate revokation lists
+ * while running.  The only way to avoid the loaded CRLs expiring, thus
+ * causing client certificates to be declared invalid, seem to be to
+ * restart Apache.
+ */
+class apache::daily_restart
+{
+    # This tries to only generate output (mailed to root by Cron) if
+    # the restart fails.  And it will not try to start Apache if it is
+    # not running.
+    $restart = '/sbin/service httpd status >/dev/null 2>&1 && (o=`/usr/sbin/apachectl graceful 2>&1` || echo "$o" >&2)'
+    cron {
+	'apache::daily_restart':
+	    command => $restart,
+	    month => '*', monthday => '*', weekday => '*',
+	    hour => '5', minute => '30';
+    }
+}
 /*
 * Helper class for abstracting dependencies on the Apache service.
 * This is so others can do e.g. notify => Class[apache::service] instead