Currently, the sensitive option is not available for the template declarations which create the SSL certs. The end result is that the keys, including private, are printed to standard out during the chef run. As an improvement to security, the sensitive option should be enabled and set to true by default for this template resource.

An example of a potential scenario could be where someone is logging output of the chef runs to a file, which is then read by Logstash and indexed in ElasticSearch. Consequently, anyone who would have read access to this data via Kibana would be able to easily obtain the certificates.

I tried to provide monit with an ssl certificate. The LWRP works fine and the pem from my encrypted databag ends up on the server, but with the wrong permissions.

monit: The SSL server PEM file '/etc/ssl/certs/monit.myserver.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644).
/etc/monit/monitrc:28: Error: SSL server PEM file has too loose permissions '/etc/ssl/certs/monit.myserver.pem'

Please add an attribute "mode" as in other resources and LWRPs to set the permission explicitly.

Cheers, Chris

Pound (Reverse proxy and load balancer) requires that you put cert, key and optional intermediate keys into same file.

This is basically possible for using combined_file parameter. however this requires i put intermediate cert also to data bag. but i wish to use file from filesystem (setup prior using remote_file).

ps: when implementing support, please, do not name the controlling attribute based on vendor name, like nginx_cert was named, there could be other scenarios outside pound as well needing such behaviour.

from pound manual:

       Cert "certificate file"
              Specify the server certificate. The certificate file is the file containing the certificate, possibly a  cer‐
              tificate chain and the signature for this server. This directive is mandatory for HTTPS listeners.

              Please  note  that  multiple Cert directives are allowed if your OpenSSL version supports SNI. In such cases,
              the first directive is the default certificate, with additional certificates  used  if  the  client  requests
              them.

              The  ordering  of  the directives is important: the first certificate where the CN matches the client request
              will be used, so put your directives in the most-specific-to-least specific order (i.e. wildcard certificates
              after host-specific certificates).

              Cert directives must precede all other SSL-specific directives.

👻 Brief Description

action_class methods cannot be invoked

🥞 Cookbook version

2.0.16

👩‍🍳 Chef-Infra Version

18

🎩 Platform details

CentOS 7
AlmaLinux 8

Steps To Reproduce

consul_certificate = certificate_manage 'consul-server' do
  data_bag 'service-discovery'
  data_bag_secret Chef::Config['encrypted_data_bag_secret']

  create_subfolders false
  cert_path '/etc/consul/ssl'

  action :create
end

print(consul_certificate.key_path)
print(consul_certificate.key) # as documented in the readme section ".certificate, .key, .chain helper method usage"

Fails with:

NoMethodError
-------------
undefined method `key_path' for Custom resource certificate_manage from cookbook certificate

🚓 Expected behavior

The correct path should be printed.

➕ Additional context

The key_path is being used in other resources.
This error occurs when using a kitchen converge.

In order to be compatible with cookbooks that set the hostname during a converge like the system cookbook, can we change the references to node['fqdn'] to use lazy attribute evaluation? See this issue for some background info.

I had to use this the following as a workaround:

some_cert = certificate_manage "wildcard" do
  cert_file lazy { "#{node['fqdn']}.pem" }
  key_file lazy { "#{node['fqdn']}.key" }
  chain_file lazy { "#{node['fqdn']}-bundle.crt" }
end

We're currently using chef-vault in place of the EncprytedDataBag API in our recipes. I'm considering a pull request for additional support for chef-vault (no changes to the way the cookbook/LWRP currently works).

Just wanted to see if there would be any push back for adding that functionality.

Thanks

Change: chef/chef@bea8330

throws something like

node * template[/etc/ssl/certs/website.pem] action create[2016-11-04T17:53:12+00:00] WARN: only_if block for template[/etc/ssl/certs/website.pem] returned "-----BEGIN CERTIFICATE-----...\n-----END CERTIFICATE-----\n\n-----BEGIN CERTIFICATE-----\n....\n-----END CERTIFICATE-----", did you mean to run a command? If so use 'only_if "---…n-----END CERTIFICATE-----"' in your code.

with full keys/certs. pretty bad.

Commit a41fc22 breaks using this cookbook with Test Kitchen and Berkshelf, see berkshelf/berkshelf#1337 (comment)

"knife data bag show certificates test -Fj"
The command above doesn't work out for me.
It complains "ERROR: Chef::EncryptedDataBagItem::DecryptionFailure: Error decrypting data bag value: 'bad decrypt'. Most likely the provided key is incorrect"

$ knife --version
Chef: 11.14.0.alpha.1
$ ruby -v
ruby 1.9.3p547 (2014-05-14 revision 45962) [x86_64-linux]
$ cat /etc/*-release
CentOS release 6.5 (Final)
$ uname -a
Linux my.domain.com 2.6.32-431.17.1.el6.x86_64 #1 SMP Wed May 7 23:32:49 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux

Whenever I add certificate::manage_by_attributes into the role's runlist OR add it to the recipe via include_recipe (and adding the certificate to the recipe/metadata.rb), this is the error I get:

Relevant File Content:
----------------------
/home/jtomaszewski/chef-solo/cookbooks-2/certificate/recipes/manage_by_attributes.rb:

 18:  # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 19:  # See the License for the specific language governing permissions and
 20:  # limitations under the License.
 21:
 22:  node['certificate'].values.each do |cert|
 23:    cert.each_pair do |id, opts|
 24:      Chef::Log.debug "Create certs #{id} from attribute"
 25>>     certificate_manage id do
 26:        action :create
 27:        opts.each { |k, v| __send__(k, v) if self.respond_to?(k) } unless opts.nil?
 28:      end
 29:    end
 30:  end
 31:

Running handlers:
[2014-12-04T17:59:36+01:00] ERROR: Running exception handlers
Running handlers complete

[2014-12-04T17:59:36+01:00] ERROR: Exception handlers complete
[2014-12-04T17:59:36+01:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
Chef Client failed. 1 resources updated in 5.210106305 seconds
[2014-12-04T17:59:36+01:00] ERROR: No resource or method named `certificate_manage' for `Chef::Recipe "manage_by_attributes"'

Do you have any idea why it can't find the LWRP resource from the certificate cookbook?

I use about ~30 other cookbooks in my chef repository and they work fine. I have no idea why this one doesn't want to work.
What is interesting: it used to work some time ago (on the same 0.6.3 version). But now it doesn't, eh.

Unfortunatale the foodcritic warning fixed in v0.4.1 was a false positive. See Foodcritic/foodcritic#171.

The helper methods already set the flag correctly. This change triggers notifications on every run, which was already fixed by #1 and #4.

The PEM format supports having a private key and certificate(s) in the same file. Certain programs that use SSL, like HAProxy >= 1.5, require a PEM file from which to load both a certificate and the associated private key.

I'm happy to implement this if you think it will be valuable, I know I'll use it.

using this cookbook from git checkout causes knife upload to fail. i think it's bad practice to keep the VERSION file in .gitignore and not version track it at all. (how do i know what version i'm at?)

$ grep -r VERSION .
./.gitignore:27:VERSION
./metadata.rb:7:version IO.read(File.join(File.dirname(__FILE__), 'VERSION')) || '0.0.1'
$ knife cookbook upload certificate
ERROR: Errno::ENOENT: No such file or directory - /home/glen/cookbooks/certificate/VERSION
$ ls -l VERSION
ls: cannot access VERSION: No such file or directory
$

It has been working correctly for months, and now suddenly it stopped. I wasn't even upgrading any chef or recipes anywhere. Now I'm having this bug and cannot setup the certificate using the manage_by_attributes recipe. I tried reinstalling the recipe, chef - but still it isnt working and I can't fix it.

Any ideas, where's the problem? I tried debugging the certificate cookbook by editing its' source and it really seems like template method would not defined here.

My setup:

• chef 12.4.1
• certficate cookbook 1.0.0

configuration of the certificate attribute:

    "certificate": [
      {"myapp": {
          "cert_file": "myapp.pem",
          "key_file": "myapp.key",
          "chain_file": "myapp-bundle.pem",
          "nginx_cert": false
      }}
    ],

Keys are stored properly, encrypted, in data bag certificates/myapp.

Log from running sudo chef-client on the node:

(...)
[2015-08-16T22:31:57+02:00] INFO: Processing certificate_manage[myapp] action create (certificate::manage_by_attributes line 25)

================================================================================
Error executing action `create` on resource 'certificate_manage[myapp]'
================================================================================


NoMethodError
-------------
No resource or method named `template' for `Chef::Provider::CertificateManage "none"'


Cookbook Trace:
---------------
/var/chef/cache/cookbooks/certificate/providers/manage.rb:100:in `cert_file_resource'
/var/chef/cache/cookbooks/certificate/providers/manage.rb:82:in `block in class_from_file'


Resource Declaration:
---------------------
# In /var/chef/cache/cookbooks/certificate/recipes/manage_by_attributes.rb

 25:     certificate_manage id do
 26:       action :create
 27:       opts.each { |k, v| __send__(k, v) if self.respond_to?(k) } unless opts.nil?
 28:     end
 29:   end



Compiled Resource:
------------------
# Declared in /var/chef/cache/cookbooks/certificate/recipes/manage_by_attributes.rb:25:in `block (2 levels) in from_file'

certificate_manage("myapp") do
  action [:create]
  retries 0
  retry_delay 2
  sensitive true
  cookbook_name "certificate"
  recipe_name "manage_by_attributes"
  cert_file "myapp.pem"
  key_file "myapp.key"
  chain_file "myapp-bundle.pem"
  cert_path "/etc/ssl"
  create_subfolders true
  owner "root"
  group "root"
  data_bag_type "encrypted"
  data_bag_secret "/etc/chef/encrypted_data_bag_secret"
  data_bag "certificates"
  search_id "myapp"
  cookbook "certificate"
end



[2015-08-16T22:31:58+02:00] INFO: Running queued delayed notifications before re-raising exception
[2015-08-16T22:31:58+02:00] ERROR: Running exception handlers
[2015-08-16T22:31:58+02:00] ERROR: Exception handlers complete
[2015-08-16T22:31:58+02:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2015-08-16T22:31:58+02:00] INFO: Sending resource update report (run-id: 62afbf51-39ba-41d1-a6c1-df2612bc89f1)
[2015-08-16T22:31:59+02:00] ERROR: certificate_manage[myapp] (certificate::manage_by_attributes line 25) had an error: NoMethodError: No resource or method named `template' for `Chef::Provider::CertificateManage "none"'
[2015-08-16T22:31:59+02:00] FATAL: Chef::Exceptions::ChildConvergeError: Chef run process exited unsuccessfully (exit code 1)

I don't know if it is possible but when the data_bag_type is set to vault the current code will try to load the item from chefvault and if that fails it will try to load the item from a databag directly.

It would simpler to use the chef_vault_item helper method from the chef-vault cookbook. This way it would be more consistent with how chef-vault operates. Even better would be to use chef_vault_item_for_environment.

If you are setting the hostname as part of your chef converge (such as with the hostname cookbook), the certificate_manage resource does not create the expected filenames.

So if you use this:

certificate_manage "wildcard"

and your node['fqdn'] was updated during your chef run, then you end up with a file like:

/etc/pki/tls/certs/localhost.pem

(substitute localhost for whatever your original hostname was)

Instead, you have to ensure the values from the execution phase are used:

certificate_manage "wildcard" do
    cert_file lazy { "#{node['fqdn']}.pem" }
    key_file lazy { "#{node['fqdn']}.key" }
    chain_file lazy { "#{node['fqdn']}-bundle.crt" }
end

Then you end up with a filename like:

/etc/pki/tls/certs/mynode.mycompany.com.pem

I thought it might be helpful if we add a note to the readme in case anybody else gets hung up on this.

Full repro is available here.

I am running into "can't convert String into Integer" problem when trying to override from wrapper cookbook

27:  case node['platform_family']
28:  when "rhel"
29:      node.default['certificate']['cert_path'] = "/etc/pki/tls"
30:  else
31>>     node.default['certificate']['cert_path'] = "/etc/ssl"
32:  end

or as I see it's not that trivial and the upper code can't work either. 

Is there a way how to access ['certificate']['cert_path'] attribute from the cookbook (ie: to use the path / reffer certs in other cookbooks )?

Hi,

i'm trying to mange my certificates for the monit web interface like this:

certificate_manage "monit" do
search_id "monit"
cert_path "/etc/ssl/certs/"
cert_file "#{node[:monit][:address]}.pem"
owner "root"
group "root"
action :create
end

The search failes with this error messagen:

FATAL: Net::HTTPServerException: certificate_manage[vagrant-ubuntu-precise-64](certificate::default line 20) had an error: Net::HTTPServerException: 404 "Object Not Found"

certificate_manage("vagrant-ubuntu-precise-64") do
data_bag_secret "/tmp/encrypted_data_bag_secret"
retry_delay 2
data_bag "certificates"
search_id "vagrant-ubuntu-precise-64"
retries 0
action [:create]
cookbook_name "certificate"
recipe_name "default"
end

For some reason the search_id attribute falls back to what hostnamespits out, which seems to be the default. Can i override it anyways? The documentations says so. Am i doing it wrong?

Cheers, Chris

Any interest for a pull request that would support s3 location for certificate files?

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

• Update sous-chefs/.github action to v3.1.0
• Update actionshub/chef-install action to v3

Detected dependencies

• Check this box to trigger a request for Renovate to run again on this repository

Would it be possible (read: are others interested?) in tweaking this to support using chef-vault (https://github.com/Nordstrom/chef-vault) rather than the standard encrypted data bag?

Reasoning: the usual encrypted secret method of databags requires management of the key, placing it onto the various nodes, etc. Vault solves this seamlessly, using existing node keys (and allowing search based control of what key are allowed), and adding in admin access by user, among other improvements. So this would allow a much cleaner setup and rollout.

Apache 2.4 can have a DHParams file to be faster while using DHE ciphers and so on.

Nginx can use also this file on the ssl_dhparam.