X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/77cd975164d60c089b6a42b2e9bd128c0e037025..de36e6558743eebc1185d32fa0b58dbafe9bbc53:/cookbooks/ssl/resources/certificate.rb diff --git a/cookbooks/ssl/resources/certificate.rb b/cookbooks/ssl/resources/certificate.rb index 92dbcc323..fdbcf2b52 100644 --- a/cookbooks/ssl/resources/certificate.rb +++ b/cookbooks/ssl/resources/certificate.rb @@ -1,14 +1,14 @@ # -# Cookbook Name:: ssl +# Cookbook:: ssl # Resource:: ssl_certificate # -# Copyright 2017, OpenStreetMap Foundation +# Copyright:: 2017, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # -# http://www.apache.org/licenses/LICENSE-2.0 +# https://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, @@ -19,13 +19,12 @@ default_action :create -property :name, String -property :domains, Array, :required => true -property :fallback_certificate, String +property :certificate, String, :name_property => true +property :domains, [String, Array], :required => true action :create do - node.default[:letsencrypt][:certificates][name] = { - :domains => domains + node.default[:letsencrypt][:certificates][new_resource.certificate] = { + :domains => Array(new_resource.domains) } if letsencrypt @@ -34,63 +33,55 @@ action :create do end if certificate - file "/etc/ssl/certs/#{name}.pem" do + file "/etc/ssl/certs/#{new_resource.certificate}.pem" do owner "root" group "root" mode 0o444 content certificate backup false + manage_symlink_source false + force_unlink true end - file "/etc/ssl/private/#{name}.key" do + file "/etc/ssl/private/#{new_resource.certificate}.key" do owner "root" group "ssl-cert" mode 0o440 content key backup false - end - elsif fallback_certificate - link "/etc/ssl/certs/#{name}.pem" do - to "#{fallback_certificate}.pem" - end - - link "/etc/ssl/private/#{name}.key" do - to "#{fallback_certificate}.key" + manage_symlink_source false + force_unlink true end else - template "/tmp/#{name}.ssl.cnf" do - cookbook "ssl" - source "ssl.cnf.erb" - owner "root" - group "root" - mode 0o644 - variables :domains => new_resource.domains - not_if do - ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key") - end - end + alt_names = new_resource.domains.collect { |domain| "DNS:#{domain}" } - execute "/etc/ssl/certs/#{name}.pem" do - command "openssl req -x509 -newkey rsa:2048 -keyout /etc/ssl/private/#{new_resource.name}.key -out /etc/ssl/certs/#{new_resource.name}.pem -days 365 -nodes -config /tmp/#{new_resource.name}.ssl.cnf" - user "root" + openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do + key_file "/etc/ssl/private/#{new_resource.certificate}.key" + owner "root" group "ssl-cert" - not_if do - ::File.exist?("/etc/ssl/certs/#{new_resource.name}.pem") && ::File.exist?("/etc/ssl/private/#{new_resource.name}.key") - end + mode 0o640 + org "OpenStreetMap" + email "operations@osmfoundation.org" + common_name new_resource.domains.first + subject_alt_name alt_names + extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true }, + "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true } end end end action :delete do - file "/etc/ssl/certs/#{name}.pem" do + file "/etc/ssl/certs/#{new_resource.certificate}.pem" do action :delete end - file "/etc/ssl/private/#{name}.key" do + file "/etc/ssl/private/#{new_resource.certificate}.key" do action :delete end end -def letsencrypt - @letsencrypt ||= search(:letsencrypt, "id:#{name}").first +action_class do + def letsencrypt + @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first + end end