X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/388687b7120815bc61f49de6c5dd0ea793dad67b..ab47927c016597f8602b81dcdc168ad5c335389d:/cookbooks/ssl/resources/certificate.rb

diff --git a/cookbooks/ssl/resources/certificate.rb b/cookbooks/ssl/resources/certificate.rb
index 7348a6726..5fc33b61b 100644
--- a/cookbooks/ssl/resources/certificate.rb
+++ b/cookbooks/ssl/resources/certificate.rb
@@ -1,8 +1,8 @@
 #
-# Cookbook Name:: ssl
+# Cookbook:: ssl
 # Resource:: ssl_certificate
 #
-# Copyright 2017, OpenStreetMap Foundation
+# Copyright:: 2017, OpenStreetMap Foundation
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -20,11 +20,11 @@
 default_action :create
 
 property :certificate, String, :name_property => true
-property :domains, [String, Array], :required => true
+property :domains, [String, Array], :required => [:create]
 
 action :create do
   node.default[:letsencrypt][:certificates][new_resource.certificate] = {
-    :domains => Array(new_resource.domains)
+    :domains => domains
   }
 
   if letsencrypt
@@ -36,7 +36,7 @@ action :create do
     file "/etc/ssl/certs/#{new_resource.certificate}.pem" do
       owner "root"
       group "root"
-      mode 0o444
+      mode "444"
       content certificate
       backup false
       manage_symlink_source false
@@ -46,26 +46,26 @@ action :create do
     file "/etc/ssl/private/#{new_resource.certificate}.key" do
       owner "root"
       group "ssl-cert"
-      mode 0o440
+      mode "440"
       content key
       backup false
       manage_symlink_source false
       force_unlink true
     end
   else
-    alt_names = new_resource.domains.collect { |domain| "DNS:#{domain}" }
+    alt_names = domains.collect { |domain| "DNS:#{domain}" }
 
     openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do
       key_file "/etc/ssl/private/#{new_resource.certificate}.key"
       owner "root"
       group "ssl-cert"
-      mode 0o640
+      mode "640"
       org "OpenStreetMap"
       email "operations@osmfoundation.org"
-      common_name new_resource.domains.first
+      common_name domains.first
       subject_alt_name alt_names
-      extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment] },
-                 "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth] }
+      extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true },
+                 "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true }
     end
   end
 end
@@ -84,4 +84,8 @@ action_class do
   def letsencrypt
     @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first
   end
+
+  def domains
+    Array(new_resource.domains)
+  end
 end