Skip to content
This repository has been archived by the owner on Jun 30, 2023. It is now read-only.

merge_key ; merge_chain -> /etc/ssl/private/ #31

Closed
linuxmail opened this issue Jun 1, 2018 · 5 comments
Closed

merge_key ; merge_chain -> /etc/ssl/private/ #31

linuxmail opened this issue Jun 1, 2018 · 5 comments

Comments

@linuxmail
Copy link

Hello,

first, very big thanks for this awesome module, as I was able to remove my own files and use your module.

My next thing is either a question or a feature request. We use haproxy which requires the key into the cert file and I know, that there is a merge_key = true, but than the key is placed into /etc/ssl/certs/, which isnt' quite good ;-) I know, that I can change the path too, but everytime where the key is used, it should go to /etc/ssl/private per default, so the merge_key should create a file /etc/ssl/private/foo.merge_cert.pem which holds the cert and the private key.

And here we come to the next point, which is a bit unclear for me: ca vs. chain.

We have a Root CA cert (for example Thawte thawte_256_ca_bundle) and our own cert www.example.com.crt, which is signed by Thawte. So we want the "chain" out of the CA (thawte_256_ca_bundle) from Thawte and our www.example.com.crt. What is the correct Hiera syntax ?

What we have:

    ca_name: "thawte_256_ca"
    ca_cert: true
    ca_content: "%{hiera('thawte_256_ca_bundle')}"
    cert_chain: true
    merge_chain: true
    merge_key: true
    chain_path: '/etc/ssl/private'
    chain_name: "example.com_chain"
    chain_content: "%{hiera('wildcard_example.com_cert')}%{hiera('thawte_256_ca_bundle')}"
    cert_content: "%{hiera('wildcard_example.com_cert')}"
    key_content: "%{hiera('wildcard_example.com_key')}"

As you can see, we get the /etc/ssl/certs/example.com.crt out of our cert and Thawte CA and the private key. The /etc/ssl/private/example.com_chain has Thawte CA and our cert, but private key is missing. Sure, I can add it:

chain_content: "%{hiera('wildcard_example.com_cert')}%{hiera('thawte_256_ca_bundle')}%{hiera('wildcard_example.com_key')}"

But it looks like even more wrong, because then I don't need the merge_key: true :-)

Can you bring some light into it?

Thanks so much :-)
@rcalixte
Copy link

rcalixte commented Jun 7, 2018

@linuxmail we should probably consider either changing the default directory when merge_key is set to true or restricting the permissions if placing the resulting file into /etc/ssl/certs (both could even work as solutions together).

@linuxmail
Copy link
Author

hi @rcalixte

definitely moving to /etc/ssl/private :-) no one would expecting a private key in ssl/certs/

rcalixte pushed a commit that referenced this issue Jul 27, 2018
Change default mode and location when merging key #31
aad5008
rcalixte pushed a commit that referenced this issue Jul 27, 2018
Change default mode and location when merging key #31 (#37)
c98c13f
@rcalixte
Copy link

@linuxmail the fix for the merge_key issue has been included in 2.5.0 if you want to test it out.

Regarding your question, have you tried something similar to the following:

ca_cert: true
ca_name: 'thawte_256_ca_bundle'
ca_content: "%{hiera('thawte_256_ca_bundle')}"
merge_chain: true
merge_key: true
cert_content: "%{hiera('wildcard_example.com_cert')}"
key_content: "%{hiera('wildcard_example.com_key')}"

Setting merge_chain to true will include the Thawte bundle whether you specify it as the ca or the certificate chain, so you shouldn't need both definitions.

Hope this helps! Shout if it doesn't!

@linuxmail
Copy link
Author

Hi @rcalixte

thanks for the update. I upgraded the module today and we will see, if it works for us, but I think it will :-)

@linuxmail
Copy link
Author

hi,

it seems to be working pretty well :-) Thanks.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@linuxmail @rcalixte