cookbook 'tls', '= 3.2.0', :supermarket
tls (16) Versions 3.2.0 Follow0
Deploy TLS certificates
cookbook 'tls', '= 3.2.0'
knife supermarket install tls
knife supermarket download tls
tls-cookbook
Chef cookbook to deploy SSL/TLS certificates (including root ones) on a system. Data is stored in the encrypted data bag which name is specified in the attribute node['tls']['data_bag_name']
(by default tls
). Data bag item name matches node.chef_environment
value.
Certificate files will be placed under the directory specified in attribute node['tls']['base_dir']
(by default /etc/chef-tls
).
Root certificate files will be placed under system directories.
Encrypted data bag format
{
"id": "development",
"ca_certificates": {
// Trusted Root CA
// "name": "----- certificate data -----"
"Custom_CA": "-----BEGIN CERTIFICATE-----\nMIIF0jCC........UwhJJgNX\n-----END CERTIFICATE-----",
// other entries
},
"certificates": [
{
"name": "domain.tld-rsa", // Certificate name (optional)
"domains": [ // Domain list
"domain.tld",
"www.domain.tld"
],
"chain": [ // Certificate chain (from leaf to root, PEM encoded, new lines should be escaped)
"-----BEGIN CERTIFICATE-----\nMIIFNjCC........4PcGNXXA\n-----END CERTIFICATE-----",
"-----BEGIN CERTIFICATE-----\nMIIEkjCC........NFu0Qg==\n-----END CERTIFICATE-----"
],
"private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpAIB........8tt8JA==\n-----END RSA PRIVATE KEY-----" // Certificate private key (PEM encoded, new lines should be escaped)
},
{
// other entries
}
]
}
Resources
tls_certificate
Certificate deployment is made by using tls_certificate
resource. For example,
tls_certificate 'www.domain.tld' do
action :deploy
end
Different software (e.g. Nginx, Postfix) will require paths to deployed certificates and private keys. To obtain these paths, ::ChefCookbook::TLS
helper should be used. Below is the example:
tls_item = ::ChefCookbook::TLS.new(node).certificate_entry('www.domain.tld')
tls_item.certificate_path # Get path to the certificate
tls_item.certificate_private_key_path # Get path to the certificate's private key
If there are several certificates for the same set of domains (e.g. RSA and ECDSA ones), both tls_certificate
resource and certificate_entry
helper method will operate with the first item found in the data bag. To pick out the exact certificate, you should use either tls_rsa_certificate
resource / rsa_certificate_entry
helper method or tls_ec_certificate
resource / ec_certificate_entry
helper method.
tls_rsa_certificate
tls_rsa_certificate 'www.domain.tld' do
action :deploy
end
tls_item = ::ChefCookbook::TLS.new(node).rsa_certificate_entry('www.domain.tld')
tls_ec_certificate
tls_ec_certificate 'www.domain.tld' do
action :deploy
end
tls_item = ::ChefCookbook::TLS.new(node).ec_certificate_entry('www.domain.tld')
tls_ca_certificate
Installing/uninstalling CA certificates only works on Ubuntu systems.
To obtain path to CA certificate bundle, ::ChefCookbook::TLS
helper should be used. Below is the example:
tls_helper = ::ChefCookbook::TLS.new(node)
tls_helper.ca_bundle_path # Get CA certificate bundle path
Installing
tls_ca_certificate 'Custom_CA' do
action :install
end
Uninstalling
tls_ca_certificate 'Custom_CA' do
action :uninstall
end
License
MIT @ Alexander Pyatkin
Dependent cookbooks
This cookbook has no specified dependencies.
Contingent cookbooks
Collaborator Number Metric
3.2.0 failed this metric
Failure: Cookbook has 0 collaborators. A cookbook must have at least 2 collaborators to pass this metric.
Contributing File Metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.2.0 failed this metric
FC066: Ensure chef_version is set in metadata: tls/metadata.rb:1
FC108: Resource should not define a property named 'name': tls/resources/ca_certificate.rb:3
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
3.2.0 passed this metric
Publish Metric
3.2.0 passed this metric
Supported Platforms Metric
3.2.0 passed this metric
Testing File Metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.2.0 passed this metric
3.2.0 failed this metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a CONTRIBUTING.md file
Foodcritic Metric
3.2.0 failed this metric
FC066: Ensure chef_version is set in metadata: tls/metadata.rb:1
FC108: Resource should not define a property named 'name': tls/resources/ca_certificate.rb:3
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
No Binaries Metric
3.2.0 passed this metric
Publish Metric
3.2.0 passed this metric
Supported Platforms Metric
3.2.0 passed this metric
Testing File Metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.2.0 passed this metric
3.2.0 failed this metric
FC108: Resource should not define a property named 'name': tls/resources/ca_certificate.rb:3
Run with Foodcritic Version 14.3.0 with tags metadata,correctness ~FC031 ~FC045 and failure tags any
3.2.0 passed this metric
Publish Metric
3.2.0 passed this metric
Supported Platforms Metric
3.2.0 passed this metric
Testing File Metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.2.0 passed this metric
3.2.0 passed this metric
3.2.0 passed this metric
Testing File Metric
3.2.0 failed this metric
Failure: To pass this metric, your cookbook metadata must include a source url, the source url must be in the form of https://github.com/user/repo, and your repo must contain a TESTING.md file
Version Tag Metric
3.2.0 passed this metric
3.2.0 failed this metric
3.2.0 passed this metric