support mode attribute to set permission

sous-chefs / certificate

Development repository for the certificate cookbook

https://supermarket.chef.io/cookbooks/certificate

73 stars 43 forks source link

support mode attribute to set permission #14

Closed christoph-buente closed 3 years ago

christoph-buente commented 11 years ago

I tried to provide monit with an ssl certificate. The LWRP works fine and the pem from my encrypted databag ends up on the server, but with the wrong permissions.

monit: The SSL server PEM file '/etc/ssl/certs/monit.myserver.pem' must have permissions no more than -rwx------ (0700); right now permissions are -rw-r--r-- (0644). /etc/monit/monitrc:28: Error: SSL server PEM file has too loose permissions '/etc/ssl/certs/monit.myserver.pem'

Please add an attribute "mode" as in other resources and LWRPs to set the permission explicitly.

Cheers, Chris

atomic-penguin commented 11 years ago

@tmatilai since you wrote the option[:private] functionality in the provider. Do you have a preferred approach, or any ideas on a good way, to handle this?

tmatilai commented 11 years ago

The certificates are meant to be public (after all, it is sent to whoever connect to the server), only the keys private. The wiki page reveals that monit expects the same file to contain both the key and certificate (in which case the permissions need to be stricter. Unfortunately the certificate_manage provider doesn't currently support that.

So the options are:

Add support for bundling both the key and certificates (including the intermediate ones) to one file. A bit similar to nginx_cert attribute.
Put nginx or some other web server in front to terminate the SSL and proxy plain http requests to monit.
Manage the pem file without this cookbook.

The first option wouldn't be too difficult but makes the resource interface even more complicated. I'm happy to help if that is chosen though.

github-actions[bot] commented 3 years ago

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

github-actions[bot] commented 3 years ago

Closing due to inactivity. If this is still an issue please reopen or open another issue. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.