rtkwlf / chef-x509 Goto Github PK
View Code? Open in Web Editor NEWChef x509 cookbook
Chef x509 cookbook
Okay I'm not 100% great with SSL certificates but I'm trying to get the basic workflow described in the README.md to work, so here's what I've done so far.
chef-ssl makeca --dn '/CN=docker' --ca-path .chef/docker --key_length=4096 --days=3650 --digest=SHA256
directory '/etc/pki/docker'
x509_certificate 'docker' do
ca 'docker'
key node['docker_key']
certificate node['docker_cert']
bits 4096
days 365
end
chef-ssl sign --name docker
and shows the followingSearch name: docker
Node Hostname: desktop
Certificate Type: server
Certificate DN: /C=GB/ST=London/L=London/O=Example Ltd/OU=Certificate
Automation/CN=docker/[email protected]
Requested CA: docker
Requested Validity: 365 days
-----BEGIN CERTIFICATE REQUEST-----
MIIE4zCCAssCAQAwgZ0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEUMBIGA1UECgwLRXhhbXBsZSBMdGQxHzAdBgNVBAsMFkNl
cnRpZmljYXRlIEF1dG9tYXRpb24xDzANBgNVBAMMBmRvY2tlcjEkMCIGCSqGSIb3
...
-----END CERTIFICATE REQUEST-----
Sign this? (yes or no) yes
Paste cert text
Signed: SHA1 Fingerprint=F8:D6:F7:F0:43:52:9F:EC:82:81:45:50:90:6A:33:5D:78:0E:75:B0
Subject: /CN=docker
Issuer: /CN=docker
-----BEGIN CERTIFICATE-----
MIIFWDCCA0CgAwIBAgIBADANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb2Nr
ZXIwHhcNMTYwNDA4MDYxNzU4WhcNMjYwNDA2MDYxNzU4WjARMQ8wDQYDVQQDDAZk
...
-----END CERTIFICATE-----
WARNING: Issued certificate DN does not match request DN!
Save certificate? (yes or no) yes
Saved OK
* x509_certificate[docker] action create [2016-04-08T07:48:13-07:00] WARN: not installing certificate docker (id d548c5b83fa61d8e3bd86ad42a7ffea9b7c86e3f9d8095c1577d3e1270bb9420), does not match key
I've boiled down the error to the x509_verify_key_cert_match in libraries and its trying to compare the n
value for both keys, I've verified that they are close is size but not the same. and they aren't even a factor of one another usually. So I'd like some help trying to figure out what I'm doing wrong here.
Thanks.
I have two eassl gem versions on my system, v2 and v3. When x509.rb
makes require 'eassl'
request, the second version is loaded for some reason.
Atm i'm forcing it to load the third version by using
gem 'eassl3'
require 'eassl'
But probably that's not the best solution
I currently have a chef 12.4.1 server up and running with a node bootstrapped. I am attempting to run a chef-client with a simple resource to create an SSL certificate but am seeing errors. efchef attempts to search certificates which doesn't seem to exist and 404 not found is returned. Any suggestions? Thanks in advance.
from recipe
x509_certificate "www.example.com" do
ca "MyCA"
key "/etc/ssl/www.example.com.key"
certificate "/etc/ssl/www.example.com.cert"
end
from chef-server-cal tail
==> /var/log/opscode/nginx/access.log <==
10.201.12.4 - - [11/Feb/2016:12:17:43 -0800] "GET /organizations/corg/search/certificates?q=id:80fc0fb9266db7b83f85850fa0e6548b6d70ee68c8b5b412f1deea6ebdef0404&sort=X_CHEF_id_CHEF_X%20asc&start=0 HTTP/1.1" 404 "0.037" 100 "-" "Chef Client/12.6.0 (ruby-2.1.6-p336; ohai-8.8.1; x86_64-linux; +https://chef.io)" "127.0.0.1:8000" "404" "0.036" "12.6.0" "algorithm=sha1;version=1.0;" "cornc-dev1" "2016-02-11T20:17:43Z" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" 1142
==> /var/log/opscode/opscode-erchef/crash.log <==
2016-02-11 12:17:43 =ERROR REPORT====
{<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}
==> /var/log/opscode/opscode-erchef/erchef.log <==
2016-02-11 12:17:43.730 [error] {<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}
==> /var/log/opscode/opscode-erchef/current <==
2016-02-11_20:17:43.75868 [error] {<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}
==> /var/log/opscode/opscode-erchef/requests.log.1 <==
2016-02-11T20:17:43Z [email protected] method=GET; path=/organizations/corg/search/certificates?q=id:80fc0fb9266db7b83f85850fa0e6548b6d70ee68c8b5b412f1deea6ebdef0404&sort=X_CHEF_id_CHEF_X%20asc&start=0; status=404; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAAOlyAAAAAMAAAAA; org_name=corg; msg=[110,111,32,100,97,116,97,32,98,97,103,58,32,<<...>>]; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=31; rdbms_time=1; rdbms_count=3; solr_time=17; solr_count=1; user=cornc-dev1; req_api_version=1;`
For some reason im getting some problems with the CSR search. In general, Spice.nodes()
at client.rb:66
returns an empty array. I have some feeling that it can be related to the presence of underscores in both csr_oubox
and my CA names.
Also, Spice.nodes("*_ca:#{ca}")
works, while Spice.nodes("*_*_ca:#{ca}")
doesn't. Dunno why
Running chef-zero v4.5.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.