This cookbook provides LWRP to install certificate authorities and set the needed hash-symlinks.
You can specify the default path were the ssl certificates and symlinks are stored using an attribute
node['cacert']['cert_dir'] # defaults to '/etc/ssl/certs'
The default recipe will install CA certificates defined in the certs
attributes of the node.
Eg.
{
"cacert": {
"certs": {
"my.ca.cert.org": {
"source": "https://my.ca.cert.org/certs/root.crt",
"cert_dir": "/etc/ssl/certs",
"cert_hash": "492ffc07"
}
}
}
}
This recipe installs the cacert.org root certificate
It automatically sets the correct symlinks on broken systems (like Debian Squeeze), see this gist: https://gist.github.com/chr4/5805334
To use the providers, add the following to your metadata.rb
depends 'cacert'
Installs a certificate from a given URL, and calls cacert_hash to create the necessary symlinks. The following example installs the cacert.org root certificate to /etc/ssl/certs/cacert.org.pem
NOTE On Debian Squeeze (and potentially on other systems), openssl generates the wrong hash. As a workaround, you can specify the hash manually, see the "hash" attribute below.
cacert 'cacert.org.pem' do
cert 'cacert.org.pem' # name attribute
source 'https://www.cacert.org/certs/root.crt' # required
cert_dir '/etc/ssl/certs' # defaults to node['cacert']['cert_dir']
action :create # default :create
# You can specify the hash for the symlink manually.
# Ff not given, this will be generated using openssl x509 -hash
cert_hash '99d0fa06' # correct hash for cacerts root certificate
# Also, a sha256 checksum is supported.
# If the checksum doesn't match, the certificate won't be installed.
checksum 'c0e0773a79dceb622ef6410577c19c1e177fb2eb9c623a49340de3c9f1de2560'
end
You can use the cacert_hash provider by its own, too
cacert_hash 'cacert.org.pem' do
cert 'cacert.org.pem' # name attribute
cert_dir '/etc/ssl/certs' # defaults to node['cacert']['cert_dir']
# You can specify the hash for the symlink manually.
# Ff not given, this will be generated using openssl x509 -hash
cert_hash '99d0fa06' # correct hash for cacerts root certificate
end
e.g.
- Fork the repository on Github
- Create a named feature branch (like
add_component_x
) - Write you change
- Write tests for your change (if applicable)
- Run the tests, ensuring they all pass
- Submit a Pull Request using Github
Author: Chris Aumann [email protected] Contributors: François Lamboley [email protected]
License: GPLv3