cookbook 'ssl', '~> 1.1.1'
ssl (9) Versions 1.1.1 Follow13
Sets up SSL certs and keys from an encrypted data bag
cookbook 'ssl', '~> 1.1.1', :supermarket
knife supermarket install ssl
knife supermarket download ssl
DESCRIPTION
A recipe for setting up system-wide SSL certs on Ubuntu / Debian systems.
REQUIREMENTS
Ubuntu or Debian Linux system and an encrypted data bag named "ssl".
ATTRIBUTES
node['ssl']['certs_dir'] = '/etc/ssl/certs' node['ssl']['keys_dir'] = '/etc/ssl/keys' node['ssl']['group'] = 'ssl-cert' node['ssl']['domain'] = '*'
USAGE
The certs and keys are retrieved from an encrypted data bag named "ssl". Inside
the data bag, the cert should be in a key named "cert", the domain name should
be in the "id" key, with periods replaced by underscores
(i.e. foo.com -> foo_com), the cert's key should be in "key", and if you have a
chain of certs to validate your domain's cert, put them in an array under
"chain" and the recipe will set them up for you. If you have a local CA, you can
store that in a key named "ca", and the recipe will install and symlink it in the
certs_dir
.
NOTE: The certs and keys should all be on one line, with their newlines replaced
by "\n". They will be stored correctly once placed on the server.
Sample way to generate the data bag:
bundle exec knife solo data bag create ssl -d --data-bag-path data_bags -j '{"id":"caregeneral_com", "key":"private_key_of_caregeneral","cert":"certificate","chain":["cert", "cert"]}'
A sample data bag options data_bags\keys\domain_com.json
:
{ "name":"data_bag_item_ssl_domain_com", "json_class":"Chef::DataBagItem", "chef_type":"data_bag_item", "data_bag":"ssl", "raw_data": { "id":"domain_com_staging", "key":"-----BEGIN RSA PRIVATE KEY-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END RSA PRIVATE KEY-----", "cert":"-----BEGIN CERTIFICATE-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END CERTIFICATE-----", "chain":[ "-----BEGIN CERTIFICATE-----\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\nAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\n-----END CERTIFICATE-----", "-----BEGIN CERTIFICATE-----\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\nBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB\n-----END CERTIFICATE-----" ] } }
After running the default recipe, your certs will be in
/etc/ssl/certs/{domain.name}.crt
, and the
keys will be in /etc/ssl/private/{domain.name}.key
. Any chain certs will be
combined into /etc/ssl/certs/{domain.name}.chain.crt
and the whole cert chain
will be put into /etc/ssl/certs/{domain.name}.combined.crt
. The separate chain
cert is for Apache, and the combined one is for Nginx. A CA cert will be stored
as /etc/ssl/certs/{domain.name}-ca.crt
, however you can put the CA in a data bag
of it's own if you'd prefer a different prefix than domain.name
.
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Collaborator Number Metric
1.1.1 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.1.1 failed this metric
FC064: Ensure issues_url is set in metadata: ssl/metadata.rb:1
FC065: Ensure source_url is set in metadata: ssl/metadata.rb:1
FC066: Ensure chef_version is set in metadata: ssl/metadata.rb:1
FC069: Ensure standardized license defined in metadata: ssl/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
1.1.1 passed this metric
Testing File Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.1.1 failed this metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
1.1.1 failed this metric
FC064: Ensure issues_url is set in metadata: ssl/metadata.rb:1
FC065: Ensure source_url is set in metadata: ssl/metadata.rb:1
FC066: Ensure chef_version is set in metadata: ssl/metadata.rb:1
FC069: Ensure standardized license defined in metadata: ssl/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
1.1.1 passed this metric
Testing File Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.1.1 failed this metric
FC065: Ensure source_url is set in metadata: ssl/metadata.rb:1
FC066: Ensure chef_version is set in metadata: ssl/metadata.rb:1
FC069: Ensure standardized license defined in metadata: ssl/metadata.rb:1
Run with Foodcritic Version 16.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
1.1.1 passed this metric
Testing File Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number
1.1.1 failed this metric
1.1.1 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must include a tag that matches this cookbook version number