Fix Debian11 Tests

[TheKrizz]

only need a ci run on master

[TheKrizz]

added "/usr/sbin/update-ca-certificates" to spec/acceptance/certs_spec.rb

[ekohl]

Doesn't this just mask a real issue? The whole point of this module is for the CA to be trusted. If the user needs to manually update the trusted certificates after then it's missing the point.

There is already an exec that is supposed to do this:

puppet-trusted_ca/manifests/init.pp

Lines 22 to 27 in 8c80b07

	exec { 'update_system_certs':
	command => $update_command,
	path => $path,
	logoutput => on_failure,
	refreshonly => true,
	}

And that is notified here:

puppet-trusted_ca/manifests/ca.pp

Line 78 in 8c80b07

notify => Exec['update_system_certs'],

That in turn is notified above:

puppet-trusted_ca/manifests/ca.pp

Line 55 in 8c80b07

notify => Exec["validate ${install_path}/${_name}"],

So something appears to be wrong if this workaround is needed.

[TheKrizz]

Then "exec { 'update_system_certs':" in https://github.com/voxpupuli/puppet-trusted_ca/blob/master/manifests/init.pp#L22-L27 don't work or don't get a notify

Because when i add update-ca-certificates to this spec file and it runs ca-certificates-java, then the used java under usr/bin/java trusts the generated certs or knows about them.

[ekohl]

I think the problem is that chained notifications are unreliable. I hope #86 is a reliable fix for it.

[ekohl]

I can't figure it out. Perhaps it's time to drop Debian 11 support instead?

[TheKrizz]

i think on debian11 we need the command "/usr/sbin/update-ca-certificates" or we have to use this exec
https://github.com/voxpupuli/puppet-trusted_ca/blob/master/manifests/java.pp#L58-L64 or we need to set the path of the truststore

https://github.com/rksk/SSLPoke