Use openssl_x509_certificate resource to generate certificates
authorTom Hughes <tom@compton.nu>
Wed, 12 Sep 2018 18:11:49 +0000 (19:11 +0100)
committerTom Hughes <tom@compton.nu>
Wed, 12 Sep 2018 18:11:49 +0000 (19:11 +0100)
cookbooks/exim/recipes/default.rb
cookbooks/exim/templates/default/ssl.cnf.erb [deleted file]
cookbooks/ssl/resources/certificate.rb
cookbooks/ssl/templates/default/ssl.cnf.erb [deleted file]

index 65ab834..6b20f51 100644 (file)
@@ -33,23 +33,15 @@ group "ssl-cert" do
   append true
 end
 
-template "/tmp/exim.ssl.cnf" do
-  source "ssl.cnf.erb"
+openssl_x509_certificate "/etc/ssl/certs/exim.pem" do
+  key_file "/etc/ssl/private/exim.key"
   owner "root"
-  group "root"
-  mode 0o644
-  not_if do
-    File.exist?("/etc/ssl/certs/exim.pem") && File.exist?("/etc/ssl/private/exim.key")
-  end
-end
-
-execute "/etc/ssl/certs/exim.pem" do
-  command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/exim.key -out /etc/ssl/certs/exim.pem -days 3650 -nodes -config /tmp/exim.ssl.cnf"
-  user "root"
   group "ssl-cert"
-  not_if do
-    File.exist?("/etc/ssl/certs/exim.pem") && File.exist?("/etc/ssl/private/exim.key")
-  end
+  mode 0o640
+  org "OpenStreetMap"
+  email "postmaster@openstreetmap.org"
+  common_name node[:fqdn]
+  expire 3650
 end
 
 service "exim4" do
diff --git a/cookbooks/exim/templates/default/ssl.cnf.erb b/cookbooks/exim/templates/default/ssl.cnf.erb
deleted file mode 100644 (file)
index 406dcb9..0000000
+++ /dev/null
@@ -1,8 +0,0 @@
-[req]
-prompt = no
-distinguished_name = req_dn
-
-[req_dn]
-organizationName = OpenStreetMap
-commonName = <%= node[:fqdn] %>
-emailAddress = postmaster@openstreetmap.org
index facb59a..7348a67 100644 (file)
@@ -53,25 +53,19 @@ action :create do
       force_unlink true
     end
   else
-    template "/tmp/#{new_resource.certificate}.ssl.cnf" do
-      cookbook "ssl"
-      source "ssl.cnf.erb"
-      owner "root"
-      group "root"
-      mode 0o644
-      variables :domains => Array(new_resource.domains)
-      not_if do
-        ::File.exist?("/etc/ssl/certs/#{new_resource.certificate}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.certificate}.key")
-      end
-    end
+    alt_names = new_resource.domains.collect { |domain| "DNS:#{domain}" }
 
-    execute "/etc/ssl/certs/#{new_resource.certificate}.pem" do
-      command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/#{new_resource.certificate}.key -out /etc/ssl/certs/#{new_resource.certificate}.pem -days 365 -nodes -config /tmp/#{new_resource.certificate}.ssl.cnf"
-      user "root"
+    openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do
+      key_file "/etc/ssl/private/#{new_resource.certificate}.key"
+      owner "root"
       group "ssl-cert"
-      not_if do
-        ::File.exist?("/etc/ssl/certs/#{new_resource.certificate}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.certificate}.key")
-      end
+      mode 0o640
+      org "OpenStreetMap"
+      email "operations@osmfoundation.org"
+      common_name new_resource.domains.first
+      subject_alt_name alt_names
+      extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment] },
+                 "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth] }
     end
   end
 end
diff --git a/cookbooks/ssl/templates/default/ssl.cnf.erb b/cookbooks/ssl/templates/default/ssl.cnf.erb
deleted file mode 100644 (file)
index 64c3c08..0000000
+++ /dev/null
@@ -1,20 +0,0 @@
-[req]
-prompt = no
-distinguished_name = req_dn
-x509_extensions = v3_req
-
-[req_dn]
-organizationName = OpenStreetMap
-commonName = <%= @domains.first %>
-emailAddress = operations@osmfoundation.org
-
-[v3_req]
-basicConstraints = CA:FALSE
-keyUsage = digitalSignature, keyEncipherment
-extendedKeyUsage = serverAuth, clientAuth
-subjectAltName = @alt_names
-
-[alt_names]
-<% @domains.each_with_index do |d, i| -%>
-DNS.<%= i + 1 %> = <%= d %>
-<% end -%>