X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/643f28e4f32f013c16d04378d7d1f3dd7d8edc17..4ae23398ffb24aebf67db392cdea316d8550f6da:/cookbooks/ssl/resources/certificate.rb diff --git a/cookbooks/ssl/resources/certificate.rb b/cookbooks/ssl/resources/certificate.rb index c133491ed..f2fb4784c 100644 --- a/cookbooks/ssl/resources/certificate.rb +++ b/cookbooks/ssl/resources/certificate.rb @@ -1,14 +1,14 @@ # -# Cookbook Name:: ssl +# Cookbook:: ssl # Resource:: ssl_certificate # -# Copyright 2017, OpenStreetMap Foundation +# Copyright:: 2017, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -17,14 +17,16 @@ # limitations under the License. # +unified_mode true + default_action :create -property :name, String -property :domains, [String, Array], :required => true +property :certificate, String, :name_property => true +property :domains, [String, Array], :required => [:create] action :create do - node.default[:letsencrypt][:certificates][name] = { - :domains => Array(domains) + node.default[:letsencrypt][:certificates][new_resource.certificate] = { + :domains => domains } if letsencrypt @@ -33,59 +35,59 @@ action :create do end if certificate - file "/etc/ssl/certs/#{name}.pem" do + file "/etc/ssl/certs/#{new_resource.certificate}.pem" do owner "root" group "root" - mode 0o444 + mode "444" content certificate backup false manage_symlink_source false force_unlink true end - file "/etc/ssl/private/#{name}.key" do + file "/etc/ssl/private/#{new_resource.certificate}.key" do owner "root" group "ssl-cert" - mode 0o440 + mode "440" content key backup false manage_symlink_source false force_unlink true end else - template "/tmp/#{name}.ssl.cnf" do - cookbook "ssl" - source "ssl.cnf.erb" - owner "root" - group "root" - mode 0o644 - variables :domains => Array(new_resource.domains) - not_if do - ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key") - end - end + alt_names = domains.collect { |domain| "DNS:#{domain}" } - execute "/etc/ssl/certs/#{name}.pem" do - command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/#{new_resource.name}.key -out /etc/ssl/certs/#{new_resource.name}.pem -days 365 -nodes -config /tmp/#{new_resource.name}.ssl.cnf" - user "root" + openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do + key_file "/etc/ssl/private/#{new_resource.certificate}.key" + owner "root" group "ssl-cert" - not_if do - ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key") - end + mode "640" + org "OpenStreetMap" + email "operations@osmfoundation.org" + common_name domains.first + subject_alt_name alt_names + extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true }, + "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true } end end end action :delete do - file "/etc/ssl/certs/#{name}.pem" do + file "/etc/ssl/certs/#{new_resource.certificate}.pem" do action :delete end - file "/etc/ssl/private/#{name}.key" do + file "/etc/ssl/private/#{new_resource.certificate}.key" do action :delete end end -def letsencrypt - @letsencrypt ||= search(:letsencrypt, "id:#{name}").first +action_class do + def letsencrypt + @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first + end + + def domains + Array(new_resource.domains) + end end