ssl certificates

[jameseck]

Hi,

This is most likely user error rather than a bug, but I'm hoping someone can answer this either way.

I'm trying to configure a puppet master in nginx and I'm having trouble working out exactly how to describe the config I want. The issue I have is with SSL certificates.
The manifest below results in the nginx config looking for certs in /etc/nginx rather than the two explicit files I have provided in ssl_cert and ssl_key params for the vhost.

nginx::resource::vhost { 'unicorn_puppetmaster':
  ensure               => present,
  server_name          => ['puppet'],
  listen_port          => 8140,
  ssl                  => true,
  ssl_cert             => "/var/lib/puppet/ssl/certs/${::fqdn}.pem",
  ssl_key              => "/var/lib/puppet/ssl/private_keys/${::fqdn}.pem",
  ssl_port             => 8140,
  ssl_ciphers          => 'ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS',
  vhost_cfg_append     => {
    'ssl_crl'                 => '/var/lib/puppet/ssl/ca/ca_crl.pem',
    'ssl_client_certificate'  => '/var/lib/puppet/ssl/certs/ca.pem',
    'ssl_verify_client'       => 'optional',
    'ssl_verify_depth'        => 1,
  },
  www_root             => '/etc/puppet/rack/public',
  use_default_location => false,
  access_log           => '/var/log/nginx/puppetmaster_access.log',
  error_log            => '/var/log/nginx/puppetmaster_error.log',
  proxy_set_header     => [
    'Host $host',
    'X-Real-IP &remote_addr',
    'X-Forwarded-For $proxy_add_x_forwarded_for',
    'X-Client-Verify $ssl_client_verify',
    'X-Client-DN $ssl_client_s_dn',
    'X-SSL-Issuer $ssl_client_i_dn',
  ],
  proxy_read_timeout   => '120',
}
nginx::resource::location { '/':
  ensure         => present,
  location       => '/',
  vhost          => 'unicorn_puppetmaster',
  proxy          => 'http://unicorn_puppetmaster',
  ssl            => true,
  ssl_only       => true,
}
nginx::resource::upstream { 'unicorn_puppetmaster':
  upstream_fail_timeout => '0',
  members               => [ 'unix:/var/run/puppet/unicorn_puppetmaster.sock' ],
}

This manifest yields the following nginx config file:

server {
  listen       *:8140 ssl;

  server_name  puppet;

  ssl on;

  ssl_certificate           /etc/nginx/unicorn_puppetmaster.crt;
  ssl_certificate_key       /etc/nginx/unicorn_puppetmaster.key;
  ssl_session_cache         shared:SSL:10m;
  ssl_session_timeout       5m;
  ssl_protocols             SSLv3 TLSv1 TLSv1.1 TLSv1.2;
  ssl_ciphers               ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS;
  ssl_prefer_server_ciphers on;
    index  index.html index.htm index.php;

  access_log            /var/log/nginx/puppetmaster_access.log;
  error_log             /var/log/nginx/puppetmaster_error.log;


  root /etc/puppet/rack/public;
  proxy_set_header        Host $host;
  proxy_set_header        X-Real-IP &remote_addr;
  proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header        X-Client-Verify $ssl_client_verify;
  proxy_set_header        X-Client-DN $ssl_client_s_dn;
  proxy_set_header        X-SSL-Issuer $ssl_client_i_dn;
  location / {

    proxy_pass          http://unicorn_puppetmaster;
    proxy_read_timeout  90;
    proxy_connect_timeout  90;
    proxy_redirect  off;
    proxy_set_header        Host $host;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
  }
  ssl_client_certificate /var/lib/puppet/ssl/certs/ca.pem;
  ssl_crl /var/lib/puppet/ssl/ca/ca_crl.pem;
  ssl_verify_client optional;
  ssl_verify_depth 1;
}

Can anyone please explain what I need to do to get the right ssl files referenced in the nginx vhost config?

Thanks

J

[3flex]

Hi @jameseck,

The way the module works right now is that the file is sourced from what you provide in ssl_cert and ssl_key and copied to the /etc/nginx folder. So in your case the two files /var/lib/puppet/ssl/certs/${::fqdn}.pem and /var/lib/puppet/ssl/private_keys/${::fqdn}.pem are being copied to /etc/nginx/unicorn_puppetmaster.crt and /etc/nginx/unicorn_puppetmaster.key respectively.

The relevant code is at https://github.com/jfryman/puppet-nginx/blob/master/manifests/resource/vhost.pp#L595-L609.

I don't personally like this arrangement much but it's been that way since 0.0.2 so any PR to fix it would have to have backwards compatibility & deprecation notices if we move away from the copying of the certificates.

[3flex]

Actually looking at the code this would be pretty easy - you can add ssl_certificate and ssl_certificate_key parameters which just set those values directly in the nginx config, and add deprecation notices when ssl_cert and/or ssl_key are set. This wouldn't break anything and having new parameters that match the actual names of the nginx directives would be nice.

[khaefeli]

@3flex +1 for move away from the coping of the certificates

[3flex]

Hi, please add any relevant comments to #599 regarding how the module will treat SSL certificates going forward.