cookbook 'tls', '= 2.0.0'
tls (16) Versions 2.0.0 Follow0
Deploy TLS certificates
cookbook 'tls', '= 2.0.0', :supermarket
knife supermarket install tls
knife supermarket download tls
tls-cookbook
Chef cookbook to deploy SSL/TLS certificates (including root ones) on a system. Data is stored in the encrypted data bag which name is specified in the attribute node['tls']['data_bag_name'] (by default tls). Data bag item name matches node.chef_environment value.
Certificate files will be placed under the directory specified in attribute node['tls']['base_dir'] (by default /etc/chef-tls).
Root certificate files will be placed under system directories.
Encrypted data bag format
{
"id": "development",
"ca_certificates": {
// Trusted Root CA
// "name": "----- certificate data -----"
"Custom_CA": "-----BEGIN CERTIFICATE-----\nMIIF0jCC........UwhJJgNX\n-----END CERTIFICATE-----",
// other entries
},
"certificates": [
{
"domains": [ // Domain list
"domain.tld",
"www.domain.tld"
],
"chain": [ // Certificate chain (from leaf to root, PEM encoded, new lines should be escaped)
"-----BEGIN CERTIFICATE-----\nMIIFNjCC........4PcGNXXA\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIEkjCC........NFu0Qg==\n-----END CERTIFICATE-----"
],
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIB........8tt8JA==\n-----END RSA PRIVATE KEY-----", // Certificate private key (PEM encoded, new lines should be escaped)
"hpkp_pins": [ // HPKP pins (base64 encoded)
"wZgbeR6b........",
"bDSe0744........"
],
"scts": { // SCTs (base64 encoded)
"google_aviator": "AGj2mPgf........3nYNtNU=",
"google_pilot": "AKS5CZC0........RnySxdE=",
"google_rocketeer": "AO5Lvbd1........bdC+zlI="
}
},
{
// other entries
}
]
}
Resources
tls_certificate
Certificate deployment is made by using tls_certificate resource. For example,
tls_certificate 'www.domain.tld' do action :deploy end
Different software (e.g. Nginx, Postfix) will require paths to deployed certificates, private keys and SCTs. To obtain these paths, ::ChefCookbook::TLS helper should be used. Below is the example:
tls_item = ::ChefCookbook::TLS.new(node).certificate_entry 'www.domain.tld' tls_item.certificate_path # Get path to the certificate tls_item.certificate_private_key_path # Get path to the certificate's private key tls_item.scts_dir # Get path to the folder with deployed SCTs tls_item.hpkp_pins # Get array of HPKP pins
tls_ca_certificate
Installing/uninstalling CA certificates only works on Ubuntu systems.
To obtain path to CA certificate bundle, ::ChefCookbook::TLS helper should be used. Below is the example:
tls_helper = ::ChefCookbook::TLS.new(node) tls_helper.ca_bundle_path # Get CA certificate bundle path
Installing
tls_ca_certificate 'Custom_CA' do action :install end
Uninstalling
tls_ca_certificate 'Custom_CA' do action :uninstall end
License
MIT @ Alexander Pyatkin
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Collaborator Number Metric
2.0.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Foodcritic Metric
2.0.0 passed this metric
2.0.0 failed this metric
2.0.0 passed this metric
