Chaining SSL certificates at deployment time


#1

Since nginx requires that intermediate chaining certificates be concatenated
in the same .crt file as the SSL cert for the website, I’ve been trying to
write my recipe to install the SSL cert and chaining cert files separately
and then dynamically concatenating them into a new composite cert. For
example, I have my actual certs cert1.crt and cert2.crt, this would produce
composite-cert1.crt and composite-cert2.crt. However, the recipe code (
https://gist.github.com/1070755) only triggers the chaining for cert1:

cookbook_file[/etc/nginx/ssl/cert1.crt] sending run action to execute[add
chain certificate cert1.crt]

cookbook_file[/etc/nginx/ssl/cert2.crt] not queuing delayed action run on
execute[add chain certificate cert2.crt] (delayed), as it’s already been
queued

Any pointers would be greatly appreciated.

-J


#2

Yes, unless I’m missing something, each uniquely named execute
resource should have its own notifies queue, so your code should work.
For now you might want to try:

notifies :run, "execute[add chain certificate #{cert}]", :immediate

This will cause those actions to happen immediately after each
cookbook_file resource rather than at the end with the rest of the
delayed actions, like nginx’s service restart, which you do only
want one of.

On Thu, Jul 7, 2011 at 16:09, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

Since nginx requires that intermediate chaining certificates be concatenated
in the same .crt file as the SSL cert for the website, I’ve been trying to
write my recipe to install the SSL cert and chaining cert files separately
and then dynamically concatenating them into a new composite cert. For
example, I have my actual certs cert1.crt and cert2.crt, this would produce
composite-cert1.crt and composite-cert2.crt. However, the recipe code
(https://gist.github.com/1070755) only triggers the chaining for cert1:
cookbook_file[/etc/nginx/ssl/cert1.crt] sending run action to execute[add
chain certificate cert1.crt]

cookbook_file[/etc/nginx/ssl/cert2.crt] not queuing delayed action run on
execute[add chain certificate cert2.crt] (delayed), as it’s already been
queued
Any pointers would be greatly appreciated.
-J


Aaron Peterson aaron@opscode.com
Opscode Technical Evangelist


#3

Hi Aaron,

Thank you very much. The :immediate flag seems to get rid of the issue. It
was driving me batty trying to fix the bug.

-J

On Thu, Jul 7, 2011 at 6:26 PM, Aaron Peterson aaron@opscode.com wrote:

Yes, unless I’m missing something, each uniquely named execute
resource should have its own notifies queue, so your code should work.
For now you might want to try:

notifies :run, “execute[add chain certificate #{cert}]”, :immediate

This will cause those actions to happen immediately after each
cookbook_file resource rather than at the end with the rest of the
delayed actions, like nginx’s service restart, which you do only
want one of.

On Thu, Jul 7, 2011 at 16:09, Jason J. W. Williams
jasonjwwilliams@gmail.com wrote:

Since nginx requires that intermediate chaining certificates be
concatenated
in the same .crt file as the SSL cert for the website, I’ve been trying
to
write my recipe to install the SSL cert and chaining cert files
separately
and then dynamically concatenating them into a new composite cert. For
example, I have my actual certs cert1.crt and cert2.crt, this would
produce
composite-cert1.crt and composite-cert2.crt. However, the recipe code
(https://gist.github.com/1070755) only triggers the chaining for cert1:
cookbook_file[/etc/nginx/ssl/cert1.crt] sending run action to execute[add
chain certificate cert1.crt]

cookbook_file[/etc/nginx/ssl/cert2.crt] not queuing delayed action run on
execute[add chain certificate cert2.crt] (delayed), as it’s already been
queued
Any pointers would be greatly appreciated.
-J


Aaron Peterson aaron@opscode.com
Opscode Technical Evangelist