#
-# Cookbook Name:: ssl
+# Cookbook:: ssl
# Resource:: ssl_certificate
#
-# Copyright 2017, OpenStreetMap Foundation
+# Copyright:: 2017, OpenStreetMap Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
default_action :create
-property :name, String
-property :domains, [String, Array], :required => true
-property :fallback_certificate, String
+property :certificate, String, :name_property => true
+property :domains, [String, Array], :required => [:create]
action :create do
- node.default[:letsencrypt][:certificates][name] = {
- :domains => Array(domains)
+ node.default[:letsencrypt][:certificates][new_resource.certificate] = {
+ :domains => domains
}
if letsencrypt
end
if certificate
- file "/etc/ssl/certs/#{name}.pem" do
+ file "/etc/ssl/certs/#{new_resource.certificate}.pem" do
owner "root"
group "root"
- mode 0o444
+ mode "444"
content certificate
backup false
+ manage_symlink_source false
+ force_unlink true
end
- file "/etc/ssl/private/#{name}.key" do
+ file "/etc/ssl/private/#{new_resource.certificate}.key" do
owner "root"
group "ssl-cert"
- mode 0o440
+ mode "440"
content key
backup false
- end
- elsif fallback_certificate
- link "/etc/ssl/certs/#{name}.pem" do
- to "#{fallback_certificate}.pem"
- end
-
- link "/etc/ssl/private/#{name}.key" do
- to "#{fallback_certificate}.key"
+ manage_symlink_source false
+ force_unlink true
end
else
- template "/tmp/#{name}.ssl.cnf" do
- cookbook "ssl"
- source "ssl.cnf.erb"
- owner "root"
- group "root"
- mode 0o644
- variables :domains => Array(new_resource.domains)
- not_if do
- ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key")
- end
- end
+ alt_names = domains.collect { |domain| "DNS:#{domain}" }
- execute "/etc/ssl/certs/#{name}.pem" do
- command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/#{new_resource.name}.key -out /etc/ssl/certs/#{new_resource.name}.pem -days 365 -nodes -config /tmp/#{new_resource.name}.ssl.cnf"
- user "root"
+ openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do
+ key_file "/etc/ssl/private/#{new_resource.certificate}.key"
+ owner "root"
group "ssl-cert"
- not_if do
- ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key")
- end
+ mode "640"
+ org "OpenStreetMap"
+ email "operations@osmfoundation.org"
+ common_name domains.first
+ subject_alt_name alt_names
+ extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true },
+ "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true }
end
end
end
action :delete do
- file "/etc/ssl/certs/#{name}.pem" do
+ file "/etc/ssl/certs/#{new_resource.certificate}.pem" do
action :delete
end
- file "/etc/ssl/private/#{name}.key" do
+ file "/etc/ssl/private/#{new_resource.certificate}.key" do
action :delete
end
end
-def letsencrypt
- @letsencrypt ||= search(:letsencrypt, "id:#{name}").first
+action_class do
+ def letsencrypt
+ @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first
+ end
+
+ def domains
+ Array(new_resource.domains)
+ end
end
projects / chef.git / blobdiff