#
-# Cookbook Name:: ssl
+# Cookbook:: ssl
# Resource:: ssl_certificate
#
-# Copyright 2017, OpenStreetMap Foundation
+# Copyright:: 2017, OpenStreetMap Foundation
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
-# http://www.apache.org/licenses/LICENSE-2.0
+# https://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# limitations under the License.
#
+unified_mode true
+
default_action :create
property :certificate, String, :name_property => true
-property :domains, [String, Array], :required => true
+property :domains, [String, Array], :required => [:create]
action :create do
- node.default[:letsencrypt][:certificates][certificate] = {
- :domains => Array(domains)
+ node.default[:letsencrypt][:certificates][new_resource.certificate] = {
+ :domains => domains
}
if letsencrypt
- certificate_content = letsencrypt["certificate"]
- key_content = letsencrypt["key"]
+ certificate = letsencrypt["certificate"]
+ key = letsencrypt["key"]
end
- if certificate_content
- file "/etc/ssl/certs/#{certificate}.pem" do
+ if certificate
+ file "/etc/ssl/certs/#{new_resource.certificate}.pem" do
owner "root"
group "root"
- mode 0o444
- content certificate_content
+ mode "444"
+ content certificate
backup false
manage_symlink_source false
force_unlink true
end
- file "/etc/ssl/private/#{certificate}.key" do
+ file "/etc/ssl/private/#{new_resource.certificate}.key" do
owner "root"
group "ssl-cert"
- mode 0o440
- content key_content
+ mode "440"
+ content key
backup false
manage_symlink_source false
force_unlink true
end
else
- template "/tmp/#{certificate}.ssl.cnf" do
- cookbook "ssl"
- source "ssl.cnf.erb"
- owner "root"
- group "root"
- mode 0o644
- variables :domains => Array(domains)
- not_if do
- ::File.exist?("/etc/ssl/certs/#{certificate}.pem") && ::File.exist?("/etc/ssl/private/#{certificate}.key")
- end
- end
+ alt_names = domains.collect { |domain| "DNS:#{domain}" }
- execute "/etc/ssl/certs/#{certificate}.pem" do
- command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/#{certificate}.key -out /etc/ssl/certs/#{certificate}.pem -days 365 -nodes -config /tmp/#{certificate}.ssl.cnf"
- user "root"
+ openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do
+ key_file "/etc/ssl/private/#{new_resource.certificate}.key"
+ owner "root"
group "ssl-cert"
- not_if do
- ::File.exist?("/etc/ssl/certs/#{certificate}.pem") && ::File.exist?("/etc/ssl/private/#{certificate}.key")
- end
+ mode "640"
+ org "OpenStreetMap"
+ email "operations@osmfoundation.org"
+ common_name domains.first
+ subject_alt_name alt_names
+ extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true },
+ "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true }
end
end
end
action :delete do
- file "/etc/ssl/certs/#{certificate}.pem" do
+ file "/etc/ssl/certs/#{new_resource.certificate}.pem" do
action :delete
end
- file "/etc/ssl/private/#{certificate}.key" do
+ file "/etc/ssl/private/#{new_resource.certificate}.key" do
action :delete
end
end
-def letsencrypt
- @letsencrypt ||= search(:letsencrypt, "id:#{certificate}").first
+action_class do
+ def letsencrypt
+ @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first
+ end
+
+ def domains
+ Array(new_resource.domains)
+ end
end
projects / chef.git / blobdiff