fix: patch broken SSL certificates list

AWS Opsworks uses old, and for long time deprecated version of Chef (Chef 12). This version includes ROOT CA lists, which are long time expired - causing most of the scripts to fail. To mimic, a new configuration param `node['patches']['chef12_ssl_fix']` is introduced, to include more recent lists. Fixes #268 BREAKING CHANGE: By default new list of SSL certificates is used. It should not affect any of your current deployments, but if you start seeing SSL errors, the first thing you should check, is disabling `node['patches']['chef12_ssl_fix']` option. See #268 for more information.
ajgon · Oct 8, 2021 · 4887cf5 · 4887cf5
1 parent 26766d1
commit 4887cf5
Show file tree

Hide file tree

Showing 5 changed files with 79 additions and 18 deletions.
diff --git a/Gemfile.lock b/Gemfile.lock
@@ -21,7 +21,7 @@ GEM
       ridley (~> 5.0)
       solve (~> 4.0)
       thor (~> 0.19, < 0.19.2)
-    brakeman (5.0.4)
+    brakeman (5.1.1)
     buff-config (2.0.0)
       buff-extensions (~> 2.0)
       varia_model (~> 0.6)
@@ -73,7 +73,7 @@ GEM
       fuzzyurl
       mixlib-config (~> 2.0)
       mixlib-shellout (~> 2.0)
-    chef-utils (17.2.29)
+    chef-utils (17.6.18)
       concurrent-ruby
     chef-zero (5.3.2)
       ffi-yajl (~> 2.2)
@@ -107,7 +107,7 @@ GEM
       ruby_parser (>= 3.14.1)
     fauxhai (4.1.0)
       net-ssh
-    ffi (1.15.3)
+    ffi (1.15.4)
     ffi-yajl (2.4.0)
       libyajl2 (>= 1.2)
     foodcritic (16.3.0)
@@ -131,7 +131,7 @@ GEM
     json (2.5.1)
     kitchen-docker (2.11.0)
       test-kitchen (>= 1.0.0)
-    kitchen-vagrant (1.9.0)
+    kitchen-vagrant (1.10.0)
       test-kitchen (>= 1.4, < 4)
     libyajl2 (2.1.0)
     license-acceptance (2.1.13)
@@ -143,22 +143,22 @@ GEM
     logging (2.3.0)
       little-plugger (~> 1.1)
       multi_json (~> 1.14)
-    mini_portile2 (2.5.3)
+    mini_portile2 (2.6.1)
     minitar (0.9)
     mixlib-archive (0.4.20)
       mixlib-log
     mixlib-authentication (1.4.2)
     mixlib-cli (1.7.0)
     mixlib-config (2.2.18)
       tomlrb
-    mixlib-install (3.12.11)
+    mixlib-install (3.12.16)
       mixlib-shellout
       mixlib-versioning
       thor
     mixlib-log (1.7.1)
     mixlib-shellout (2.4.4)
     mixlib-versioning (1.2.12)
-    molinillo (0.7.0)
+    molinillo (0.8.0)
     multi_json (1.15.0)
     multipart-post (2.1.1)
     net-scp (3.0.0)
@@ -172,9 +172,9 @@ GEM
       net-ssh (>= 2.6.5)
       net-ssh-gateway (>= 1.2.0)
     net-telnet (0.1.1)
-    nio4r (2.5.7)
-    nokogiri (1.11.7)
-      mini_portile2 (~> 2.5.0)
+    nio4r (2.5.8)
+    nokogiri (1.12.5)
+      mini_portile2 (~> 2.6.1)
       racc (~> 1.4)
     nori (2.6.0)
     octokit (4.21.0)
@@ -196,7 +196,7 @@ GEM
       childprocess (>= 0.6.3, < 5)
       iniparse (~> 1.4)
       rexml (~> 3.2)
-    parallel (1.20.1)
+    parallel (1.21.0)
     parser (3.0.2.0)
       ast (~> 2.4.1)
     pastel (0.8.0)
@@ -249,22 +249,22 @@ GEM
     rspec_junit_formatter (0.2.3)
       builder (< 4)
       rspec-core (>= 2, < 4, != 2.12.0)
-    rubocop (1.18.3)
+    rubocop (1.22.1)
       parallel (~> 1.10)
       parser (>= 3.0.0.0)
       rainbow (>= 2.2.2, < 4.0)
       regexp_parser (>= 1.8, < 3.0)
       rexml
-      rubocop-ast (>= 1.7.0, < 2.0)
+      rubocop-ast (>= 1.12.0, < 2.0)
       ruby-progressbar (~> 1.7)
       unicode-display_width (>= 1.4.0, < 3.0)
-    rubocop-ast (1.8.0)
+    rubocop-ast (1.12.0)
       parser (>= 3.0.1.1)
-    rubocop-performance (1.11.4)
+    rubocop-performance (1.11.5)
       rubocop (>= 1.7.0, < 2.0)
       rubocop-ast (>= 0.4.0)
     ruby-progressbar (1.11.0)
-    ruby_parser (3.16.0)
+    ruby_parser (3.17.0)
       sexp_processor (~> 4.15, >= 4.15.1)
     rubyntlm (0.6.3)
     rubyzip (2.3.2)
@@ -303,7 +303,7 @@ GEM
     systemu (2.6.5)
     term-ansicolor (1.7.1)
       tins (~> 1.0)
-    test-kitchen (3.0.0)
+    test-kitchen (3.1.0)
       bcrypt_pbkdf (~> 1.0)
       chef-utils (>= 16.4.35)
       ed25519 (~> 1.2)
@@ -339,7 +339,7 @@ GEM
       tty-screen (~> 0.8)
       wisper (~> 2.0)
     tty-screen (0.8.1)
-    unicode-display_width (2.0.0)
+    unicode-display_width (2.1.0)
     unicode_utils (1.4.0)
     uuidtools (2.1.5)
     varia_model (0.6.0)

diff --git a/attributes/default.rb b/attributes/default.rb
@@ -12,6 +12,9 @@
 default['deployer']['group'] = 'deploy'
 default['deployer']['home'] = "/home/#{default['deployer']['user']}"
 
+# fixes
+default['patches']['chef12_ssl_fix'] = true
+
 # ruby
 default['apt']['compile_time_update'] = true
 default['build-essential']['compile_time'] = true

diff --git a/docs/attributes.md b/docs/attributes.md
@@ -75,6 +75,24 @@ They should'nt be used under `node['deploy'][<application_shortname>]` (notice l
     - If enabled current chef on OpsWorks will be updated to provided version (if integer provided) or the the
       latest version (if `true`).
 
+### Patches
+
+Chef 12 (which AWS opsworks ruby is based on) is EOL. It uses old libraries and dependencies, which will start be more
+and more problematic. "Patches" section of config is an attempt to workaround this - as long, as it's possible.
+
+!!! note
+
+    All of those options are set to `true` by default and it's strongly discouraged to disable them. However if you have
+    any problems with anything those patches touch, disabling them, is a first step to troubleshoot them.
+
+- `node['patches']['chef12_ssl_fix']`
+
+    - **Type:** boolean
+    - **Default:** `true`
+    - Chef 12 OpenSSL provide very old certificates list - most of them are expired now. This fix, force chef to use
+      more recent list (and valid) list.
+      See [Issue #268](https://github.com/ajgon/opsworks_ruby/issues/268) for more information.
+
 ## Cross-application attributes
 
 These attributes can only be set at the server level; they cannot vary from application to application.

diff --git a/recipes/setup.rb b/recipes/setup.rb
@@ -9,6 +9,16 @@
 
 prepare_recipe
 
+if node['patches']['chef12_ssl_fix']
+  remote_file 'Copy more recent root certificate into Chef' do
+    path '/opt/chef/embedded/ssl/certs/cacert.pem'
+    source 'file:///etc/ssl/certs/ca-certificates.crt'
+    owner 'root'
+    group 'root'
+    mode '0644'
+  end
+end
+
 # Upgrade chef
 # Taken from `chef-upgrade` cookbook <https://github.com/inopinatus/chef-upgrade> by Josh Goodall
 # The Chef updater will try to kill its own process. This causes setup failure.

diff --git a/spec/unit/recipes/setup_spec.rb b/spec/unit/recipes/setup_spec.rb
@@ -32,6 +32,36 @@
     stub_command('which nginx').and_return(false)
   end
 
+  context 'Patches' do
+    let(:chef_run) do
+      ChefSpec::SoloRunner.new(platform: 'ubuntu', version: '14.04') do |solo_node|
+        solo_node.set['patches'] = {
+          'chef12_ssl_fix' => chef12_ssl_fix
+        }
+      end.converge(described_recipe)
+    end
+    let(:chef12_ssl_fix) { true }
+
+    context 'when fix ssl certificates is enabled' do
+      it 'fixes SSL certificates' do
+        expect(chef_run).to create_remote_file('/opt/chef/embedded/ssl/certs/cacert.pem')
+          .with(
+            source: 'file:///etc/ssl/certs/ca-certificates.crt',
+            owner: 'root',
+            group: 'root',
+            mode: '0644'
+          )
+      end
+    end
+
+    context 'when fix ssl certificates is disabled' do
+      let(:chef12_ssl_fix) { false }
+      it 'does not fix SSL certificates' do
+        expect(chef_run).not_to create_remote_file('/opt/chef/embedded/ssl/certs/cacert.pem')
+      end
+    end
+  end
+
   context 'Chef version' do
     it 'not set' do
       expect(chef_run).not_to create_directory('/opt/aws/opsworks/current/plugins')