Skip to content
This repository has been archived by the owner. It is now read-only.

Update to latest master version #1

Open
wants to merge 47 commits into
base: master
Choose a base branch
from
Open

Update to latest master version #1

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
47 commits
Select commit Hold shift + click to select a range
101d8d1
bump acme-client gem to 2.0.3
rmoriz Aug 2, 2019
96e7c45
Marked fullchain as a deprecated_property_alias so as to not cause br…
Aug 7, 2019
d4d6bc0
Merge pull request #113 from missiondata/deprecate_fullchain
thoutenbos Aug 8, 2019
0ba89d3
Merge pull request #111 from rmoriz/rmoriz/bump-acme-gem
thoutenbos Aug 8, 2019
dc61375
:gear: Ensure apt-transport-https is installed during testing
zakame Aug 8, 2019
b484c00
Use Pebble v1.0.1 for testing
zakame Aug 8, 2019
3846b7b
Merge pull request #114 from zakame/test-fixes
thoutenbos Aug 8, 2019
38e72bc
Accept Chef license in Travis
thoutenbos Aug 8, 2019
7ca8a30
Release version 4.1.0
thoutenbos Aug 8, 2019
0cf98c2
Need lazy evaluation when using attributes in resources
petracvv Sep 16, 2019
069eb7a
Merge pull request #116 from petracvv/lazy
thoutenbos Sep 16, 2019
c0f781d
Release version 4.1.1
thoutenbos Sep 26, 2019
ca82303
Update default.rb
zedtux Mar 6, 2020
f60b76b
Merge pull request #121 from zedtux/patch-1
thoutenbos Mar 6, 2020
d39387e
Release version 4.1.2
thoutenbos Mar 6, 2020
9de022b
Adds a bit more information to authz failure
essjayhch Oct 1, 2020
2174eb5
Merge pull request #124 from essjayhch/increase-logging-for-authz
thoutenbos Oct 1, 2020
53ab05f
Fix 'satus' typo in cert creation ruby_block
kiwidream Dec 15, 2020
5c024cf
Merge pull request #125 from redream/master
thoutenbos Dec 17, 2020
03c2a1a
implement an interface to support DNS challenges
May 28, 2021
f802b0a
Merge pull request #127 from schrd/dns_validation
thoutenbos Jul 8, 2021
e55a238
Test Kitchen fixes
thoutenbos Jul 8, 2021
04d5337
Release version 4.1.3
thoutenbos Jul 8, 2021
29c1c28
Set unified_mode and cookstyle autofixes
detjensrobert Jul 14, 2021
a8946b6
remove deprecated poise dependency from test
detjensrobert Jul 14, 2021
54e2c59
update test to use inspec and latest cookbooks
detjensrobert Jul 15, 2021
9f88c24
add changelog entry
detjensrobert Jul 16, 2021
1dd96ce
Use Ruby 3-compliant version of acme_client
detjensrobert Jul 16, 2021
3139ece
Write account private key to disk for persistence instead of node.normal
detjensrobert Aug 20, 2021
bb17b6c
Merge pull request #128 from detjensrobert/unified_mode
thoutenbos Sep 2, 2021
d755c27
Update testcases
thoutenbos Sep 6, 2021
6e30398
Release version 4.1.4
thoutenbos Sep 6, 2021
81724f0
Make private key file location configurable
twk3 Jan 4, 2022
f65c4ba
Merge pull request #130 from twk3/config-private-key
thoutenbos Jan 5, 2022
5849e21
Upgrade acme-client gem to v2.0.9
thoutenbos Jan 5, 2022
b7879bf
Release version 4.1.5
thoutenbos Jan 5, 2022
2bb486e
Document behavior of private_key_file
stanhu Jan 5, 2022
46a6f02
Merge pull request #131 from stanhu/sh-document-private-key-file
thoutenbos Jan 6, 2022
b77eb40
Allow Integer for owner and group properties
ramereth Feb 2, 2023
47acacf
Merge pull request #132 from ramereth/allow-uid-gid
thoutenbos Feb 13, 2023
94e2d88
add processing as a valid authz status
bugoff Feb 20, 2023
c7b7cd2
Merge pull request #134 from bugoff/bug/133-Also_add_processing_as_an…
thoutenbos Feb 21, 2023
9400a6c
Update Test Kitchen
thoutenbos Mar 1, 2023
95c4574
Upgrade acme-client gem to v2.0.13
thoutenbos Mar 1, 2023
c670bfb
Release version 4.1.6
thoutenbos Mar 1, 2023
04c7c5a
upgrade acme-client gem to 2.0.15
SeanSith Dec 6, 2023
b9a42b4
Merge pull request #140 from SeanSith/upgrade_acme_client_gem
thoutenbos Dec 7, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
42 changes: 0 additions & 42 deletions .kitchen.dokken.yml
View file
Open in desktop

This file was deleted.

49 changes: 0 additions & 49 deletions .kitchen.yml
View file
Open in desktop

This file was deleted.

38 changes: 5 additions & 33 deletions .rubocop.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,34 +1,6 @@
AllCops:
Include:
- Berksfile
- '**/Gemfile'
- Rakefile
- Thorfile
- Guardfile
Exclude:
- vendor/**

ClassLength:
Enabled: false
Documentation:
Enabled: false
Encoding:
Enabled: false
HashSyntax:
Enabled: false
LineLength:
Enabled: false
MethodLength:
Enabled: false
SignalException:
Enabled: false
TrailingCommaInArrayLiteral:
Enabled: false
WordArray:
Enabled: false
ClassAndModuleChildren:
Enabled: false
AbcSize:
Enabled: false
SpaceBeforeFirstArg:
Enabled: false
TargetChefVersion: 17.latest
Chef/Modernize/FoodcriticComments:
Enabled: true
Chef/Style/CopyrightCommentFormat:
Enabled: true
3 changes: 2 additions & 1 deletion .travis.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,7 +14,8 @@ cache:

env:
global:
- KITCHEN_LOCAL_YAML=.kitchen.dokken.yml
- KITCHEN_LOCAL_YAML=kitchen.dokken.yml
- CHEF_LICENSE="accept-no-persist"
matrix:
- CMD="chef exec cookstyle --display-cop-names --extra-details"
- CMD="chef exec foodcritic ."
Expand Down
53 changes: 53 additions & 0 deletions CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,59 @@ ACME Cookbook Changelog

This file is used to list changes made in each version of the acme cookbook.

Unreleased
----------
- seansith - Upgrade acme-client gem to v2.0.15

4.1.6
----------
- ramereth - Allow `Integer` for `owner` and `group` properties
- bugoff - Add processing as a valid authz status
- thoutenbos - Update Test Kitchen
- thoutenbos - Upgrade acme-client gem to v2.0.13

4.1.5
----------
- twk3 - make private key file location configurable
- thoutenbos - Upgrade acme-client gem to v2.0.9

4.1.4
----------
- detjensrobert - Chef 17 Compatibility
- Enable `unified_mode` for all resources
- Cookstyle fixes
- Update test infra to use InSpec instead of legacy ServerSpec
- Update test cookbook to use latest cookbooks / resources
- Use standard location for Kitchen files according to [upstream](https://kitchen.ci/docs/getting-started/kitchen-yml/)
- Update `acme_client` gem to Ruby 3-compliant version

4.1.3
-----
- essjayhch - Improve authz failure logging
- redream - Typo fix
- schrd - Add DNS validation support

4.1.2
-----
- zedtux - upgrade acme-client version to 2.0.6

4.1.1
-----
- petracvv - lazy evaluation in resource attributes

4.1.0
-----
- hrak - Ease version constraints on supported platforms
- zakame - Rename `endpoint` attribute to `dir`
- zakame - Remove `chain` and `fullchain` properties
- zakame - Switch to `pebble` for integration testing
- zakame - Implement ACME v2 support
- Dawnflash - Clean up token files after use
- bby-bishopclark - Various trivial English fixes in README
- rmoriz - bump acme-client gem to 2.0.3
- SeanSith - Marked fullchain as a deprecated_property_alias
- zakame - Fixes for the Travis and kitchen tests

4.0.0
-----
The TLS-SNI-01 validation method has been removed as it is no longer supported by Let's Encrypt.
Expand Down
118 changes: 86 additions & 32 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,14 +14,15 @@ Starting with v4.0.0 of the acme cookbook the acme_ssl_certificate provider has
Attributes
----------

| Attribute | Description | Default |
| -------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------: |
| contact | Contact information, default empty. Set to `mailto:[email protected]` | [] |
| dir | ACME server endpoint, Set to `https://acme-staging-v02.api.letsencrypt.org/directory` if you want to use the Let's Encrypt staging environment and corresponding certificates. | `https://acme-v02.api.letsencrypt.org/directory` |
| renew | Days before the certificate expires at which the certificate will be renewed | 30 |
| source_ips | IP addresses used by Let's Encrypt to verify the TLS certificates, it will change over time. This attribute is for firewall purposes. Allow these IPs for HTTP (tcp/80). | ['66.133.109.36'] |
| private_key | Private key content of registered account. Private keys identify the ACME client with the endpoint and are not transferable between staging and production endpoints. | nil |
| key_size | Default private key size used when resource property is not. Must be one out of: 2048, 3072, 4096. | 2048 |
| Attribute | Description | Default |
| ---------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | --------------------------------------: |
| contact | Contact information, default empty. Set to `mailto:[email protected]` | [] |
| dir | ACME server endpoint, Set to `https://acme-staging-v02.api.letsencrypt.org/directory` if you want to use the Let's Encrypt staging environment and corresponding certificates. | `https://acme-v02.api.letsencrypt.org/directory` |
| renew | Days before the certificate expires at which the certificate will be renewed | 30 |
| source_ips | IP addresses used by Let's Encrypt to verify the TLS certificates, it will change over time. This attribute is for firewall purposes. Allow these IPs for HTTP (tcp/80). | ['66.133.109.36'] |
| private_key | Private key content of registered account. Private keys identify the ACME client with the endpoint and are not transferable between staging and production endpoints. | nil |
| private_key_file | Filename where private key will be saved. If this file exists, the contents take precedence over the value set in `private_key`. | `/etc/acme/account_private_key.pem` |
| key_size | Default private key size used when resource property is not. Must be one out of: 2048, 3072, 4096. | 2048 |


Recipes
Expand Down Expand Up @@ -57,32 +58,32 @@ A working example can be found in the included `acme_client` test cookbook.
Providers
---------
### certificate
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| `cn` | string | _name_ | The common name for the certificate |
| `alt_names` | array | [] | The common name for the certificate |
| `crt` | string | nil | File path to place the certificate |
| `key` | string | nil | File path to place the private key |
| `key_size` | integer | 2048 | Private key size. Must be one out of: 2048, 3072, 4096 |
| `owner` | string | root | Owner of the created files |
| `group` | string | root | Group of the created files |
| `wwwroot` | string | /var/www | Path to the wwwroot of the domain |
| `ignore_failure` | boolean | false | Whether to continue chef run if issuance fails |
| `retries` | integer | 0 | Number of times to catch exceptions and retry |
| `retry_delay` | integer | 2 | Number of seconds to wait between retries |
| `endpoint` | string | nil | The Let's Encrypt endpoint to use |
| `contact` | array | [] | The contact to use |
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| `cn` | string | _name_ | The common name for the certificate |
| `alt_names` | array | [] | The common name for the certificate |
| `crt` | string | nil | File path to place the certificate |
| `key` | string | nil | File path to place the private key |
| `key_size` | integer | 2048 | Private key size. Must be one out of: 2048, 3072, 4096 |
| `owner` | string,integer | root | Owner of the created files |
| `group` | string,integer | root | Group of the created files |
| `wwwroot` | string | /var/www | Path to the wwwroot of the domain |
| `ignore_failure` | boolean | false | Whether to continue chef run if issuance fails |
| `retries` | integer | 0 | Number of times to catch exceptions and retry |
| `retry_delay` | integer | 2 | Number of seconds to wait between retries |
| `endpoint` | string | nil | The Let's Encrypt endpoint to use |
| `contact` | array | [] | The contact to use |

### selfsigned
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| `cn` | string | _name_ | The common name for the certificate |
| `crt` | string | nil | File path to place the certificate |
| `key` | string | nil | File path to place the private key |
| `key_size` | integer | 2048 | Private key size. Must be one out of: 2048, 3072, 4096 |
| `chain` | string | nil | File path to place the certificate chain |
| `owner` | string | root | Owner of the created files |
| `group` | string | root | Group of the created files |
| Property | Type | Default | Description |
| --- | --- | --- | --- |
| `cn` | string | _name_ | The common name for the certificate |
| `crt` | string | nil | File path to place the certificate |
| `key` | string | nil | File path to place the private key |
| `key_size` | integer | 2048 | Private key size. Must be one out of: 2048, 3072, 4096 |
| `chain` | string | nil | File path to place the certificate chain |
| `owner` | string,integer | root | Owner of the created files |
| `group` | string,integer | root | Group of the created files |

Example
-------
Expand Down Expand Up @@ -122,6 +123,59 @@ acme_certificate "#{site}" do
end
```

DNS verification
----------------

Letsencrypt supports DNS validation. Depending on the setup there may be different ways to deploy an acme challenge to your infrastructure. If you want to use DSN validation, you have to provide two block arguments to the `acme_certificate` resource.

Implement 2 methods in a library in your cookbook, each returning a `Proc` object. The following example uses a HTTP API to provide challenges to the DNS infrastructure.

```ruby
# my_cookbook/libraries/acme_dns.rb

class Chef
class Recipe
def install_dns_challenge(apitoken)
Proc.new do |authorization, new_resource|
# use DNS authorization
authz = authorization.dns
fqdn = authorization.identifier['value']
r = Net::HTTP.post(URI("https://my_awesome_dns_api/#{fqdn}"), authz.record_content, {'Authorization' => "Token #{apitoken}"})
if r.code != '200'
fail "DNS API does not want to install Challenge for #{fqdn}"
else
# do some validation that the challenge has propagated to the infrastructure
end
# it is important that the authz and fqdn is passed back, so it can be passed to the remove_dns_challenge method
[authz, fqdn]
end
end
def remove_dns_challenge(apitoken)
Proc.new do |authz, fqdn|
uri = URI("https://my_awesome_dns_api/#{fqdn}")
Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme=='https') do |http|
http.delete(uri, {'Authorization' => "Token #{apitoken}"})
end
end
end
end
end
```

Use it in your recipe the following way:

```ruby
apitoken = chef_vault_item(vault, item)['dns_api_token']
acme_certificate node['fqdn'] do
key '/path/to/key'
crt '/path/to/crt'
install_authz_block install_dns_challenge(apitoken)
remove_authz_block remove_dns_challenge(apitoken)
end
```



Testing
-------
The kitchen includes a `pebble` server to run the integration tests with, so testing can run locally without interaction with the online APIs.
Expand Down
5 changes: 3 additions & 2 deletions attributes/default.rb
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@
# Cookbook:: acme
# Attribute:: default
#
# Copyright 2015-2018 Schuberg Philis
# Copyright:: 2015-2021, Schuberg Philis
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
Expand All @@ -24,5 +24,6 @@
default['acme']['source_ips'] = %w(66.133.109.36 64.78.149.164)

default['acme']['private_key'] = nil
default['acme']['gem_version'] = '2.0.1'
default['acme']['private_key_file'] = '/etc/acme/account_private_key.pem'
default['acme']['gem_version'] = '2.0.15'
default['acme']['key_size'] = 2048
0 .kitchen.digitalocean.yml → kitchen.digitalocean.yml
View file
Open in desktop
File renamed without changes.
Loading