-
Notifications
You must be signed in to change notification settings - Fork 6
merge_key ; merge_chain -> /etc/ssl/private/ #31
Comments
@linuxmail we should probably consider either changing the default directory when |
hi @rcalixte definitely moving to /etc/ssl/private :-) no one would expecting a private key in ssl/certs/ |
@linuxmail the fix for the Regarding your question, have you tried something similar to the following:
Setting Hope this helps! Shout if it doesn't! |
Hi @rcalixte thanks for the update. I upgraded the module today and we will see, if it works for us, but I think it will :-) |
hi, it seems to be working pretty well :-) Thanks. |
Hello,
first, very big thanks for this awesome module, as I was able to remove my own files and use your module.
My next thing is either a question or a feature request. We use haproxy which requires the key into the cert file and I know, that there is a merge_key = true, but than the key is placed into /etc/ssl/certs/, which isnt' quite good ;-) I know, that I can change the path too, but everytime where the key is used, it should go to /etc/ssl/private per default, so the merge_key should create a file /etc/ssl/private/foo.merge_cert.pem which holds the cert and the private key.
And here we come to the next point, which is a bit unclear for me: ca vs. chain.
We have a Root CA cert (for example Thawte thawte_256_ca_bundle) and our own cert www.example.com.crt, which is signed by Thawte. So we want the "chain" out of the CA (thawte_256_ca_bundle) from Thawte and our www.example.com.crt. What is the correct Hiera syntax ?
What we have:
As you can see, we get the /etc/ssl/certs/example.com.crt out of our cert and Thawte CA and the private key. The /etc/ssl/private/example.com_chain has Thawte CA and our cert, but private key is missing. Sure, I can add it:
chain_content: "%{hiera('wildcard_example.com_cert')}%{hiera('thawte_256_ca_bundle')}%{hiera('wildcard_example.com_key')}"
But it looks like even more wrong, because then I don't need the merge_key: true :-)
Can you bring some light into it?
Thanks so much :-)
The text was updated successfully, but these errors were encountered: