- Description
- Setup - The basics of getting started with tlsinfo
- Usage - Configuration options and additional functionality
- Limitations - OS compatibility, etc.
tlsinfo module rpovide ability to manage x509 certificates and private keys on server node with proper validation checking (over dates, CA issuers, common names etc)
Also there is tlsinfo::tools::cfssl which installs CloudFlare CF SSL toolkits into /usr/local/bin
There are useful defined types provided:
tlsinfo::certpairtlsinfo::certificate
See REFERENCE.md for details
Module provides two custom types:
sslkey { '/etc/pki/tls/private/www.domain.com.key':
ensure => present,
password => 'SecureSecret',
path => '/etc/pki/tls/private/www.domain.com.key',
replace => true,
content => lookup('www_domain_com_private', String, 'first'),
}and
sslcertificate { 'www.domain.com':
ensure => present,
path => '/etc/pki/tls/certs/www.domain.com.pem',
pkey => '/etc/pki/tls/private/www.domain.com.key',
cacert => true,
replace => true,
chain => true,
strict => true,
identity => ['www.domain.com', 'domain.com'],
content => lookup('www_domain_com_certificate', String, 'first'),
}Must be full path to private key because Sslcertificate[pkey] has requirement to be absolute path.
Default value is present
If defined as absent - private key file will be removed by unlink()
Encrypted private key password. Must be a String or nil (undef). Can not be empty string.
Absolute path to Private key file. It is namevar parameter (set to title value if not specified). Required parameter.
Boolean. Default value is true.
If true than content value will replace existing private key file. Otherwise - noop.
String. Required parameter
Must not be empty. Should be valid RSA private key in DER or PEM encoding form. Key size must be greate or equal 2048 bits
SSL certificate provided via content parameter will be checked over pkey private key.
By default it should be full path to certificate file (eg /etc/pki/tls/certs/4f06f81d.pem) but not neccesarry.
Could be any string.
Sslcertificate type applies title pattern to get name variable parameter path. Therefore path if not defined will be set to title value (trimming last hashes /)
Default value is present
If defined as absent - certificate file will be removed by unlink()
Represent certificate subject hash openssl x509 -subject_hash
Represent certificate subject old hash openssl x509 -subject_hash_old
Absolute path to certificate file. It is namevar parameter (set to title value if not specified). Required parameter.
Absolute path to Private key file. Required parameter.
Puppet catalog should consist Sslkey resource with title that match pkey parameter.
Default value: undef
Possible values are:
true(Intermediate CA should be defined in Puppet catalog asSslcertificateresource),false(we don't care about Intermediate CA),- String. Any of certificate path,
Sslcertificateresource title, certificate subject hash (openssl x509 -subject_hash) or old hash (openssl x509 -subject_hash_old). Should be defined in Puppet catalog asSslcertificateresource - Array of strings (list of CA certificates)
Boolean. Default value is true.
If true than content value will replace existing certificate file. Otherwise - noop.
Boolean. Default is true
If true than Intermediate CA certificate will be placed into PEM file.
Boolean. Default is false
If true than content of Root CA will be included into PEM file if CA bundle exists on host
This option is useful for self-signed CA
Boolean. Default is true
If true and cacert specified than cert chain will be checked over root certificate bundle (catalog compilation will fail if CA certificate is not valid)
Certificate identities. Could be String or list of strings
Each identity will be checked over Common Name or Alternative Names (DNS). If any of them missed - resource compilation will fail.
Certificate PEM data. Required parameter. Can not be empty
It should be valid x509 certificate with valid term of validity
It is required to include tlsinfo module into current scope to make parmeters tlsinfo::certbase and tlsinfo::keybase available
include tlsinfoExample:
tlsinfo::certificate { 'LetsEncryptAuthorityX3':
cert => file('profile/certs/LetsEncryptAuthorityX3.crt'),
}
$server_name = 'registry.domain.com'
tlsinfo::certpair { $server_name:
identity => true,
}
# get certificate data from Hiera
$certdata = tlsinfo::lookup($server_name)
$ssl_cert_path = tlsinfo::certpath($certdata)
$ssl_key_path = tlsinfo::keypath($certdata)
class { 'profile::registry::nginx':
server_name => $server_name,
...
...
ssl => true,
ssl_cert => $ssl_cert_path,
ssl_key => $ssl_key_path,
require => Tlsinfo::Certpair[$server_name],
}In this example defined type Tlsinfo::Certificate will create certificate /etc/pki/tls/certs/4f06f81d.pem (4f06f81d is a certificate subject hash).
Tlsinfo::Certpair will look for registry_domain_com_certificate and registry_domain_com_private keys through Hiera (this behavior defined by function tlsinfo::lookup).
It will define certpair Sslcertificate[/etc/pki/tls/certs/registry.domain.com.pem] and Sslkey[/etc/pki/tls/private/registry.domain.com.key].
By default certificate file /etc/pki/tls/certs/registry.domain.com.pem will consists Intermediate CA certificate on the bottom if such Intermediate CA certificate exists in Puppet catalog (defined via Tlsinfo::Certificate)
Path to certificate could be get via function tlsinfo::certpath and path to private key - via tlsinfo::keypath
See REFERENCE.md
Module uses Ruby library 'openssl'
For unknown reasons this library has unpredicted behavior like:
- returns old hash instead of new (for certificate Subject and Issuer fields) therefore both hashes in use for certificates lookup
- returns negative (signed) values for Subject and Issuer hashes (eg
-ece330cinstead off131ccf4)
Therefore it is better to use module functions for default path calculation (tlsinfo::certpath and tlsinfo::keypath)