X-Git-Url: https://git.openstreetmap.org./chef.git/blobdiff_plain/b3b90ac434a01ab3f6eec2fa0650d2a9d210eded..c307ef550f5c5c6e7c8be3ad7d85d3815e0ed0ca:/cookbooks/ssl/resources/certificate.rb?ds=inline diff --git a/cookbooks/ssl/resources/certificate.rb b/cookbooks/ssl/resources/certificate.rb index 7348a6726..f2fb4784c 100644 --- a/cookbooks/ssl/resources/certificate.rb +++ b/cookbooks/ssl/resources/certificate.rb @@ -1,8 +1,8 @@ # -# Cookbook Name:: ssl +# Cookbook:: ssl # Resource:: ssl_certificate # -# Copyright 2017, OpenStreetMap Foundation +# Copyright:: 2017, OpenStreetMap Foundation # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. @@ -17,14 +17,16 @@ # limitations under the License. # +unified_mode true + default_action :create property :certificate, String, :name_property => true -property :domains, [String, Array], :required => true +property :domains, [String, Array], :required => [:create] action :create do node.default[:letsencrypt][:certificates][new_resource.certificate] = { - :domains => Array(new_resource.domains) + :domains => domains } if letsencrypt @@ -36,7 +38,7 @@ action :create do file "/etc/ssl/certs/#{new_resource.certificate}.pem" do owner "root" group "root" - mode 0o444 + mode "444" content certificate backup false manage_symlink_source false @@ -46,26 +48,26 @@ action :create do file "/etc/ssl/private/#{new_resource.certificate}.key" do owner "root" group "ssl-cert" - mode 0o440 + mode "440" content key backup false manage_symlink_source false force_unlink true end else - alt_names = new_resource.domains.collect { |domain| "DNS:#{domain}" } + alt_names = domains.collect { |domain| "DNS:#{domain}" } openssl_x509_certificate "/etc/ssl/certs/#{new_resource.certificate}.pem" do key_file "/etc/ssl/private/#{new_resource.certificate}.key" owner "root" group "ssl-cert" - mode 0o640 + mode "640" org "OpenStreetMap" email "operations@osmfoundation.org" - common_name new_resource.domains.first + common_name domains.first subject_alt_name alt_names - extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment] }, - "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth] } + extensions "keyUsage" => { "values" => %w[digitalSignature keyEncipherment], "critical" => true }, + "extendedKeyUsage" => { "values" => %w[serverAuth clientAuth], "critical" => true } end end end @@ -84,4 +86,8 @@ action_class do def letsencrypt @letsencrypt ||= search(:letsencrypt, "id:#{new_resource.certificate}").first end + + def domains + Array(new_resource.domains) + end end