SSL - Githubissues

The Ghost API requires SSL; it would be nice if the cookbook allowed you to do SSL as well.

The recipe I used to get it up and running with a self-signed cert:

include_recipe 'ghost-blog'

directory '/etc/nginx/ssl'

# self-signed cert
execute "Create self-signed cert for johnkeiser.com" do
  command 'openssl req -x509 -nodes -days 365 -newkey rsa:2048 -keyout /etc/nginx/ssl/johnkeiser.com.key -out /etc/nginx/ssl/johnkeiser.com.crt -subj "/C=US/ST=Washington/L=Seattle/O=John Keiser/OU=John Keiser/CN=*.johnkeiser.com"'
  # TODO regen or extend if > 1yr
  not_if { ::File.exist?('/etc/nginx/ssl/johnkeiser.com.key') && ::File.exist?('/etc/nginx/ssl/johnkeiser.com.crt') }
  notifies :restart, 'service[nginx]', :immediately
end

template "/etc/nginx/sites-available/johnkeiser.com.ssl.conf" do
  source 'johnkeiser.com.ssl.conf.erb'
  variables server_name: 'johnkeiser.com'
  owner 'root'
  group 'root'
  notifies :restart, 'service[nginx]', :immediately
end

link "/etc/nginx/sites-enabled/johnkeiser.com.ssl.conf" do
  link_type :symbolic
  to "/etc/nginx/sites-available/johnkeiser.com.ssl.conf"
  notifies :restart, 'service[nginx]', :immediately
end

And the template:

server {
    listen 443 ssl;
    server_name <%= @server_name %>;
    ssl_certificate /etc/nginx/ssl/<%= @server_name %>.crt;
    ssl_certificate_key /etc/nginx/ssl/<%= @server_name %>.key;
    access_log /var/log/nginx/<%= @server_name %>.ssl.log;

    location / {
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header HOST $http_host;
        proxy_set_header X-NginX-Proxy true;

        proxy_pass http://127.0.0.1:2368;
        proxy_redirect off;
        proxy_buffering off;
    }
}

I'm presently working on making http 301-redirect to https, which will require somewhat more changes.

As an aside, I did this on Centos 7, and your recipe works fine there :) Thanks tons for saving me all that time!

arukaen / chef-ghost

SSL #3