Menu

Chef Supermarket

Adoptable Cookbooks List

Looking for a cookbook to adopt? You can now see a list of cookbooks available for adoption!
List of Adoptable Cookbooks

Supermarket Belongs to the Community

Supermarket belongs to the community. While Chef has the responsibility to keep it running and be stewards of its functionality, what it does and how it works is driven by the community. The chef/supermarket repository will continue to be where development of the Supermarket application takes place. Come be part of shaping the direction of Supermarket by opening issues and pull requests or by joining us on the Chef Mailing List.

View our collection of guides, documentation, and articles

Cookbooks
Advanced Options

Select Badges

Select Supported Platforms

RSS

tls (10) Versions 3.2.0

Deploy SSL/TLS certificates

Berkshelf
Policyfile
Knife 
cookbook 'tls', '~> 3.2.0'
cookbook 'tls', '~> 3.2.0', :supermarket
knife supermarket install tls
knife supermarket download tls
README
Dependencies
Quality 50%

tls-cookbook

Chef cookbook license
Chef cookbook to deploy SSL/TLS certificates (including root ones) on a system. Data is stored in the encrypted data bag which name is specified in the attribute node['tls']['data_bag_name'] (by default tls). Data bag item name matches node.chef_environment value.

Certificate files will be placed under the directory specified in attribute node['tls']['base_dir'] (by default /etc/chef-tls).

Root certificate files will be placed under system directories.

Encrypted data bag format

{
  "id": "development",
  "ca_certificates": {
    // Trusted Root CA
    // "name": "----- certificate data -----"
    "Custom_CA": "-----BEGIN CERTIFICATE-----\nMIIF0jCC........UwhJJgNX\n-----END CERTIFICATE-----",
    // other entries
  },
  "certificates": [
    {
      "name": "domain.tld-rsa", // Certificate name (optional)
      "domains": [ // Domain list
        "domain.tld",
        "www.domain.tld"
      ],
      "chain": [ // Certificate chain (from leaf to root, PEM encoded, new lines should be escaped)
        "-----BEGIN CERTIFICATE-----\nMIIFNjCC........4PcGNXXA\n-----END CERTIFICATE-----",
        "-----BEGIN CERTIFICATE-----\nMIIEkjCC........NFu0Qg==\n-----END CERTIFICATE-----"
      ],
      "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIB........8tt8JA==\n-----END RSA PRIVATE KEY-----" // Certificate private key (PEM encoded, new lines should be escaped)
    },
    {
      // other entries
    }
  ]
}

Resources

tls_certificate

Certificate deployment is made by using tls_certificate resource. For example,

tls_certificate 'www.domain.tld' do
  action :deploy
end

Different software (e.g. Nginx, Postfix) will require paths to deployed certificates and private keys. To obtain these paths, ::ChefCookbook::TLS helper should be used. Below is the example:

tls_item = ::ChefCookbook::TLS.new(node).certificate_entry('www.domain.tld')

tls_item.certificate_path  # Get path to the certificate
tls_item.certificate_private_key_path  # Get path to the certificate's private key

If there are several certificates for the same set of domains (e.g. RSA and ECDSA ones), both tls_certificate resource and certificate_entry helper method will operate with the first item found in the data bag. To pick out the exact certificate, you should use either tls_rsa_certificate resource / rsa_certificate_entry helper method or tls_ec_certificate resource / ec_certificate_entry helper method.

tls_rsa_certificate

tls_rsa_certificate 'www.domain.tld' do
  action :deploy
end

tls_item = ::ChefCookbook::TLS.new(node).rsa_certificate_entry('www.domain.tld')

tls_ec_certificate

tls_ec_certificate 'www.domain.tld' do
  action :deploy
end

tls_item = ::ChefCookbook::TLS.new(node).ec_certificate_entry('www.domain.tld')

tls_ca_certificate

Installing/uninstalling CA certificates only works on Ubuntu systems. To obtain path to CA certificate bundle, ::ChefCookbook::TLS helper should be used. Below is the example:

tls_helper = ::ChefCookbook::TLS.new(node)

tls_helper.ca_bundle_path  # Get CA certificate bundle path

Installing

tls_ca_certificate 'Custom_CA' do
  action :install
end

Uninstalling

tls_ca_certificate 'Custom_CA' do
  action :uninstall
end

License

MIT @ Alexander Pyatkin

Dependent cookbooks

This cookbook has no specified dependencies.

Contingent cookbooks

redirect Applicable Versions
redirect 1.0.0
redirect 1.1.0
redirect 1.2.0
redirect 1.3.0
redirect 1.3.1
redirect 1.4.0
redirect 1.4.1
redirect 1.4.2
redirect 1.4.3
redirect 1.5.0
redirect 1.5.1
redirect 1.6.0
redirect 2.0.0
redirect 2.1.0
redirect 2.1.1

Collaborator Number Metric 
            
3.2.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.

Contributing File Metric 
            
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file

Foodcritic Metric 
            
3.2.0 failed this metric
FC066: Ensure chef_version is set in metadata: tls/metadata.rb:1
FC108: Resource should not define a property named 'name': tls/resources/ca_certificate.rb:3
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any

No Binaries Metric 
            
3.2.0 passed this metric

Publish Metric 
            
3.2.0 passed this metric

Supported Platforms Metric 
            
3.2.0 passed this metric

Testing File Metric 
            
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file

Version Tag Metric 
            
3.2.0 passed this metric

Alexander Pyatkin Alexander Pyatkin

Details

View Source View Issues

Updated April 15, 2019 Created on

Platforms

  • ubuntu >= 0.0.0

License

MIT

Download Cookbook