Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

ssl certificates #404

Closed
jameseck opened this issue Aug 15, 2014 · 4 comments · Fixed by #623
Closed

ssl certificates #404

jameseck opened this issue Aug 15, 2014 · 4 comments · Fixed by #623

Comments

@jameseck
Copy link

Hi,

This is most likely user error rather than a bug, but I'm hoping someone can answer this either way.

I'm trying to configure a puppet master in nginx and I'm having trouble working out exactly how to describe the config I want. The issue I have is with SSL certificates.
The manifest below results in the nginx config looking for certs in /etc/nginx rather than the two explicit files I have provided in ssl_cert and ssl_key params for the vhost.

nginx::resource::vhost { 'unicorn_puppetmaster':
  ensure               => present,
  server_name          => ['puppet'],
  listen_port          => 8140,
  ssl                  => true,
  ssl_cert             => "/var/lib/puppet/ssl/certs/${::fqdn}.pem",
  ssl_key              => "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
  ssl_port             => 8140,
  ssl_ciphers          => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS',
  vhost_cfg_append     => {
    'ssl_crl'                 => '/var/lib/puppet/ssl/ca/ca_crl.pem',
    'ssl_client_certificate'  => '/var/lib/puppet/ssl/certs/ca.pem',
    'ssl_verify_client'       => 'optional',
    'ssl_verify_depth'        => 1,
  },
  www_root             => '/etc/puppet/rack/public',
  use_default_location => false,
  access_log           => '/var/log/nginx/puppetmaster_access.log',
  error_log            => '/var/log/nginx/puppetmaster_error.log',
  proxy_set_header     => [
    'Host $host',
    'X-Real-IP &remote_addr',
    'X-Forwarded-For $proxy_add_x_forwarded_for',
    'X-Client-Verify $ssl_client_verify',
    'X-Client-DN $ssl_client_s_dn',
    'X-SSL-Issuer $ssl_client_i_dn',
  ],
  proxy_read_timeout   => '120',
}
nginx::resource::location { '/':
  ensure         => present,
  location       => '/',
  vhost          => 'unicorn_puppetmaster',
  proxy          => 'http://unicorn_puppetmaster',
  ssl            => true,
  ssl_only       => true,
}
nginx::resource::upstream { 'unicorn_puppetmaster':
  upstream_fail_timeout => '0',
  members               => [ 'unix:/var/run/puppet/unicorn_puppetmaster.sock' ],
}

This manifest yields the following nginx config file:

server {
  listen       *:8140 ssl;

  server_name  puppet;

  ssl on;

  ssl_certificate           /etc/nginx/unicorn_puppetmaster.crt;
  ssl_certificate_key       /etc/nginx/unicorn_puppetmaster.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_prefer_server_ciphers on;
    index  index.html index.htm index.php;

  access_log            /var/log/nginx/puppetmaster_access.log;
  error_log             /var/log/nginx/puppetmaster_error.log;


  root /etc/puppet/rack/public;
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP &remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Client-Verify $ssl_client_verify;
  proxy_set_header        X-Client-DN $ssl_client_s_dn;
  proxy_set_header        X-SSL-Issuer $ssl_client_i_dn;
  location / {

    proxy_pass          http://unicorn_puppetmaster;
    proxy_read_timeout  90;
    proxy_connect_timeout  90;
    proxy_redirect  off;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
  ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_verify_client optional;
  ssl_verify_depth 1;
}

Can anyone please explain what I need to do to get the right ssl files referenced in the nginx vhost config?

Thanks

J

@3flex
Copy link
Contributor

3flex commented Aug 15, 2014

Hi @jameseck,

The way the module works right now is that the file is sourced from what you provide in ssl_cert and ssl_key and copied to the /etc/nginx folder. So in your case the two files /var/lib/puppet/ssl/certs/${::fqdn}.pem and /var/lib/puppet/ssl/private_keys/${::fqdn}.pem are being copied to /etc/nginx/unicorn_puppetmaster.crt and /etc/nginx/unicorn_puppetmaster.key respectively.

The relevant code is at https://github.com/jfryman/puppet-nginx/blob/master/manifests/resource/vhost.pp#L595-L609.

I don't personally like this arrangement much but it's been that way since 0.0.2 so any PR to fix it would have to have backwards compatibility & deprecation notices if we move away from the copying of the certificates.

@3flex
Copy link
Contributor

3flex commented Aug 15, 2014

Actually looking at the code this would be pretty easy - you can add ssl_certificate and ssl_certificate_key parameters which just set those values directly in the nginx config, and add deprecation notices when ssl_cert and/or ssl_key are set. This wouldn't break anything and having new parameters that match the actual names of the nginx directives would be nice.

@khaefeli
Copy link

@3flex +1 for move away from the coping of the certificates

@3flex 3flex mentioned this issue Apr 10, 2015
5 tasks
@3flex
Copy link
Contributor

3flex commented Apr 10, 2015

Hi, please add any relevant comments to #599 regarding how the module will treat SSL certificates going forward.

@3flex 3flex mentioned this issue May 6, 2015
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants