Private key stored in node attributes #15
Comments
|
There is actually two different private keys. The one in the node attributes is used to authenticate the client to the Boulder API and to sign the API requests. It's saved to be persistent once generated. The private key for the certificate is a different key, and is saved in the |
|
Ah, got it. Thanks for the explanation. Would you be interested in a PR to optionally save that key on the filesystem as well? Would that make sense as something controlled by an attribute? |
|
Sounds like a nice option... |
|
Saving this to filesystem would help me too, happy to look at a PR. It looks most logical to trigger this within the Alternatively, I could look at refactoring the key creation out of the acme_client - possibly it could be defined as a resource in its own right in the default recipe? |
|
Using the Then it would become something like:
Does that sound sensible? |
|
What about backing up certs/keys to s3? It would be really cool if I could destroy a webserver and rebuild it and the ssl keys would be gathered from s3... |
|
Another method would be to save the API key to an encrypted data bag. You could keep it there, and that would provide a small amount of protection. This would cause a specific round-trip to the chef server to retrieve it on each run, however. There's also chef-vault as well. |
|
Not sure what the upside of this would be since you can automatically regenerate the ssl keys anyways. |
|
Should be fixed once #63 is in |
|
Great, thanks very much |
Does the private key need to persist on the node attributes, since it can be read from disk? It would be nice to be able to remove it.
(btw -- thanks for all of your great work on this)
The text was updated successfully, but these errors were encountered: