kosmos/chef
kosmos/chef
8
3
Fork 0
Code Issues 30 Pull Requests 3 Projects 2 Activity

Move the dirsrv cert generation to a certbot deploy hook

Browse Source
This commit is contained in:
Greg Karékinian 2019-12-05 15:47:10 +01:00
parent 0d192f536f
commit 1240ed9da8
2 changed files with 27 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
site-cookbooks/kosmos-dirsrv/metadata.rb
View File

@ -12,3 +12,4 @@ depends "apt"
depends "ulimit" depends "ulimit"
depends "backup" depends "backup"
depends "kosmos-nginx" depends "kosmos-nginx"
depends "kosmos-base"

40
site-cookbooks/kosmos-dirsrv/resources/instance.rb
View File

@ -80,6 +80,32 @@ action :create do
end end
include_recipe "kosmos-nginx" include_recipe "kosmos-nginx"
include_recipe "kosmos-base::letsencrypt"
dirsrv_hook = <<-EOF
#!/usr/bin/env bash
set -e
# Copy the dirsrv certificate and restart the server if it has been renewed
# This is necessary because dirsrv uses a different format for the certificates
for domain in $RENEWED_DOMAINS; do
case $domain in
#{new_resource.hostname})
openssl pkcs12 -export -in "${RENEWED_LINEAGE}/fullchain.pem" -inkey "${RENEWED_LINEAGE}/privkey.pem" -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:
pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''
systemctl restart #{service_name}
;;
esac
done
EOF
file "/etc/letsencrypt/renewal-hooks/deploy/dirsrrv" do
content dirsrv_hook
mode 0755
owner "root"
group "root"
end
template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do template "#{node['nginx']['dir']}/sites-available/#{new_resource.hostname}" do
source 'nginx_conf_empty.erb' source 'nginx_conf_empty.erb'
@ -88,20 +114,6 @@ action :create do
end end
nginx_certbot_site new_resource.hostname do nginx_certbot_site new_resource.hostname do
notifies :run, "execute[generate p12 cert]", :immediately
end
# Merge the full chain and private key into one cert, to import into the
# dirsrv dir
execute "generate p12 cert" do
command "openssl pkcs12 -export -in /etc/letsencrypt/live/#{new_resource.hostname}/fullchain.pem -inkey /etc/letsencrypt/live/#{new_resource.hostname}/privkey.pem -out #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -name 'Server-Cert' -passout pass:"
action :nothing
notifies :run, "execute[import p12 cert]", :immediately
end
execute "import p12 cert" do
command "pk12util -i #{Chef::Config[:file_cache_path]}/#{new_resource.hostname}.p12 -d #{inst_dir} -W ''"
action :nothing
notifies :run, "execute[add tls config]", :immediately notifies :run, "execute[add tls config]", :immediately
end end