diff --git a/manifests/resource/server.pp b/manifests/resource/server.pp old mode 100644 new mode 100755 index 466fdc004..3c536636e --- a/manifests/resource/server.pp +++ b/manifests/resource/server.pp @@ -71,6 +71,7 @@ # [*ssl_trusted_cert*] - String: Specifies a file with trusted CA certificates in the PEM format used to verify client # certificates and OCSP responses if ssl_stapling is enabled. # [*ssl_verify_depth*] - Integer: Sets the verification depth in the client certificates chain. +# [*ssl_password_file*] - String: File containing the password for the SSL Key file. # [*spdy*] - Toggles SPDY protocol. # [*http2*] - Toggles HTTP/2 protocol. # [*server_name*] - List of servernames for which this server will respond. Default [$name]. @@ -187,6 +188,7 @@ Optional[String] $ssl_session_ticket_key = undef, Optional[String] $ssl_trusted_cert = undef, Optional[Integer] $ssl_verify_depth = undef, + Optional[Stdlib::Absolutepath] $ssl_password_file = undef, Enum['on', 'off'] $spdy = $nginx::spdy, Enum['on', 'off'] $http2 = $nginx::http2, Optional[String] $proxy = undef, diff --git a/spec/acceptance/nginx_server_spec.rb b/spec/acceptance/nginx_server_spec.rb old mode 100644 new mode 100755 index 4afaa5fc9..8d93d5583 --- a/spec/acceptance/nginx_server_spec.rb +++ b/spec/acceptance/nginx_server_spec.rb @@ -111,4 +111,52 @@ class { 'nginx': } end end end + + context 'should run successfully with encrypted ssl key' do + it 'configures a nginx SSL server' do + pp = " + class { 'nginx': } + nginx::resource::server { 'www.puppetlabs.com': + ensure => present, + ssl => true, + ssl_cert => '/etc/pki/tls/certs/crypted.cert', + ssl_key => '/etc/pki/tls/private/crypted.key', + ssl_password_file => '/etc/pki/tls/private/crypted.pass', + www_root => '/var/www/www.puppetlabs.com', + } + host { 'www.puppetlabs.com': ip => '127.0.0.1', } + file { ['/var/www','/var/www/www.puppetlabs.com']: ensure => directory } + file { '/var/www/www.puppetlabs.com/index.html': ensure => file, content => 'Hello from www\n', } + " + + apply_manifest(pp, catch_failures: true) + end + + describe file('/etc/nginx/sites-available/www.puppetlabs.com.conf') do + it { is_expected.to be_file } + it { is_expected.to contain 'ssl_password_file /etc/pki/tls/private/crypted.pass;' } + end + + describe service('nginx') do + it { is_expected.to be_running } + end + + describe port(443) do + it { is_expected.to be_listening } + end + + it 'answers to https://www.puppetlabs.com with "Hello from www"' do + # use --insecure because it's a self-signed cert + shell('/usr/bin/curl --insecure https://www.puppetlabs.com:443') do |r| + expect(r.stdout).to eq("Hello from www\n") + end + end + + it 'answers to https://www.puppetlabs.com without error' do + # use --insecure because it's a self-signed cert + shell('/usr/bin/curl --fail --insecure https://www.puppetlabs.com:443') do |r| + expect(r.exit_code).to eq(0) + end + end + end end diff --git a/spec/spec_helper_acceptance.rb b/spec/spec_helper_acceptance.rb old mode 100644 new mode 100755 index 03d39f0a9..2e1f23c8a --- a/spec/spec_helper_acceptance.rb +++ b/spec/spec_helper_acceptance.rb @@ -67,7 +67,11 @@ # put the keys in a directory with the correct SELinux context on host, 'cp /tmp/blah.cert /etc/pki/tls/certs/blah.cert' + on host, 'cp /tmp/blah.cert /etc/pki/tls/certs/crypted.cert' on host, 'cp /tmp/blah.key /etc/pki/tls/private/blah.key' + on host, 'openssl rsa -in /tmp/blah.key -out /etc/pki/tls/private/crypted.key -passout pass:Sup3r_S3cr3t_Passw0rd' + on host, 'echo Sup3r_S3cr3t_Passw0rd >/etc/pki/tls/private/crypted.pass' + on host, 'chmod 0600 /etc/pki/tls/private/crypted.pass' end end end diff --git a/templates/server/server_ssl_settings.erb b/templates/server/server_ssl_settings.erb old mode 100644 new mode 100755 index 342db3a24..7588c77df --- a/templates/server/server_ssl_settings.erb +++ b/templates/server/server_ssl_settings.erb @@ -53,4 +53,7 @@ <%- if @ssl_verify_depth -%> ssl_verify_depth <%= @ssl_verify_depth %>; <%- end -%> + <%- if @ssl_password_file -%> + ssl_password_file <%= @ssl_password_file %>; + <%- end -%> <% end -%>