vendatech / chef-cookbook-ssl Goto Github PK

View Code? Open in Web Editor NEW

30.0 30.0 17.0 112 KB

Deploy a Chef-managed Certificate Authority

Ruby 100.00%

chef-cookbook-ssl's People

Contributors

Stargazers

Watchers

Forkers

thedeeno meineerde-cookbooks zts mancdaz rtkmhart shblt kampfschlaefer dougbarth alexdavis-bf-chef aerianstudios wojnosystems nmcspadden rofe-mk thoutenbos rtkwgray flaviod mbattini

chef-cookbook-ssl's Issues

Maintaining this cookbook

Seems like this cookbook is no longer being maintained. I use it extensively and am willing to take over ownership.

If @chrisa isn't able to transfer it, I will fork it and start from there.

Resource fails when there is no data bag "certificates"

Upon my very first test I encountered this: The resource fails when there is no "certificates" data bag to search.

Would be nice to either not fail or extend the docs accordingly.

chef-ssl-client 1.1.0 incompatible with berkshelf 3.x

chef-ssl-client 1.1.0 depends on faraday 0.8.9. Berkshelf 3.x depends on faraday 0.9.x:

$ bundle
Bundler could not find compatible versions for gem "faraday":
 In Gemfile:
   berkshelf (>= 3.0.0) ruby depends on
     faraday (~> 0.9.0) ruby

   chef-ssl-client (>= 0) ruby depends on
     spice (= 1.0.4) ruby depends on
       faraday (0.8.9)

chef-ssl client - specify custom knife.rb

Hi,
It would be great if we could specify a custom knife.rb config file (as knife does with -c options), so we can use different chef-servers
Thanks in advance

First Converge: Net::HTTPServerException 404 "Object Not Found"

I'm attempting to set up a new node with x509. I'm getting a very ambiguous error when I run chef-client on the bootstrapped node.

What appears to be happening is that on line 30 of providers/certificate.rb:

  # Try to find this certificate in the data bag.
  certbag = search(:certificates, "id:#{cert_id}").first
  if certbag
    # Data bag item found - the CSR was processed, and can be removed
    # from the outbox
    if node.attribute?('csr_outbox')
      if node.set['csr_outbox'].delete(new_resource.name)
        new_resource.updated_by_last_action(true)
      end
    end
  else
    certbag ||= {}
  end

You're doing a search for the certificate. The Chef API returns a 404 exception if it's not found, but you're not capturing the 404 error. Is this correct?

Is this fix as simple as catching an exception?

"Input stream exhausted" error on autosign command

I was getting this error when running autosign:

$ chef-ssl autosign --ca-path ~/tmp/mysubca --ca-name="Chef Test CA" --trace

Sign this? (yes or no)
/Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:793:in get_line': The input stream is exhausted. (EOFError) from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:818:inget_response'
from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:248:in ask' from /Library/Ruby/Gems/1.8/gems/highline-1.6.15/lib/highline.rb:347:inchoose'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:235
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:55:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:ineach'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:53:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:ineach'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/client.rb:52:in ca_search' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.4/lib/chef-ssl/command.rb:225 from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:incall'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:inrun'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:in run_active_command' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:inrun!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:in `run!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23

I worked around this by adding this line to client-gem/lib/chef-ssl/command.rb:234

HighLine.track_eof = false

I suspect it's my Mac, lots of articles about this error on mac. My specific environment:
OSX 10.8.2
ruby -v: ruby 1.8.7 (2012-02-08 patchlevel 358) [universal-darwin12.0]
highline: 1.6.15

Not looking for a fix, just putting it here in case anyone else runs into it.

mike

Revoking certs and publishing CRL's

I need to be able to properly revoke certificates (instead of simply deleting them) and publish CRL's in the near future. Has anyone done this already with chef-ssl? If not I may have a go at implementing it.

mike

chef-ssl autosign's search finds requests from the wrong CAs

Using a command like:

chef-ssl autosign --help --ca-path ./myCA --ca-name myCA

will find requests for more than just "myCA". If you're using multiple CAs, it's then very easy to sign requests with the wrong CA.

chef-ssl issue fails on adhoc 'issue' command.

I created a CA with the command:

chef-ssl makeca --dn '/CN=MyTestCa' --ca-path ~/tmp/mytestca

and then tried to issue an adhoc certificate:

chef-ssl issue --ca-path=$HOME/tmp/awntestca --dn=/CN=foo --type=server --trace

Enter CA passphrase:
/System/Library/Frameworks/Ruby.framework/Versions/1.8/usr/lib/ruby/1.8/erb.rb:719:in initialize': can't convert nil into String (TypeError) from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:ineach'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in initialize' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:innew'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:22:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_name.rb:34:inname'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:21:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/signing_request.rb:39:inmethod_missing'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:23:in ssl' from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate.rb:56:insign'
from /Library/Ruby/Gems/1.8/gems/eassl2-2.0.0/lib/eassl/certificate_authority.rb:42:in create_certificate' from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/client/signing_authority.rb:22:insign'
from /Library/Ruby/Gems/1.8/gems/chef-ssl-client-1.0.3/lib/chef-ssl/command.rb:56
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:in call' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:180:incall'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/command.rb:155:in run' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:402:inrun_active_command'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/runner.rb:78:in run!' from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/delegates.rb:7:inrun!'
from /Library/Ruby/Gems/1.8/gems/commander-4.1.3/lib/commander/import.rb:10
from /usr/bin/chef-ssl:23

I've tried various incantations and all fail on the same line. My ruby is weak but best I can tell it's failing to set 'type' in lib/chef-ssl/client/request.rb in the 'create()' method.

cheers
mike