Support for a single, combined PEM

[sonnysideup]

The PEM format supports having a private key and certificate(s) in the same file. Certain programs that use SSL, like HAProxy >= 1.5, require a PEM file from which to load both a certificate and the associated private key.

I'm happy to implement this if you think it will be valuable, I know I'll use it.

[docwhat]

This should probably be closed, since #21 was merged.

However, I have a better suggestion...

How about creating these files (using wildcard as the example because it easier) instead:

• wildcard.crt -- The base certificate.
• wildcard.key -- The base certificate's key.
• wildcard-intermediates.crt -- The CA intermediate certificate(s) (was wildcard-bundle.crt)
• wildcard-plus-intermediate.crt -- The base certificate + CA intermediate certificate(s) (aka the nginx option)
• wildcard-plus-intermediate-and-key.crt -- The base certificate + CA intermediate certificate(s) plus the key.

This would be a good thing for several reasons:

1. The contents of an individual file is constant. On all servers, wildcard.crt only contains the base certificate.
2. The cookbook can ensure the permissions are always correct. Combining in the key means the permissions need to be stricter. This lets there be one less thing to worry about.
3. It makes it very explicit about which one you're using.

[sonnysideup]

i could implement that but won't this break backwards compat for all of your users using the "nginx" option?

[docwhat]

Yes.

According to semantic versioning this would change the major number.

But it would be more robust and less likely to break things in the future.

[sonnysideup]

ok, i think your suggestion is totally valid and a cleaner solution than what is currently there. i'll code up the changes this week and submit them.

[docwhat]

One thing worth noting, is that maybe '::default' shouldn't actually include anything. We went with a work around and couldn't figure out how to load 'certificates' to only use the LWRP stuff.

I mean, if you're going to break the API anyway then go whole-hog. :-D

I started writing rspec stuff this morning, you can look at it here: https://github.com/docwhat/cookbook-certificate/tree/explicit-filenames

It doesn't work of course, but feel free to steal it.

[atomic-penguin]

@docwhat including the cookbook in the metadata should make the LWRP available to a wrapper cookbook. Unless something fundamental about Chef has changed, you have never had to include a recipe to "load" a LWRP.

Seems it might be a common misconception though.

[docwhat]

Oh.

[sonnysideup]

sorry about the delay here, been busy at work. i'll work on these changes today.

[atomic-penguin]

No hurry, I'm busy with a Master's thesis, so there is that.

[github-actions[bot]]

Marking stale due to inactivity. Remove stale label or comment or this will be closed in 7 days. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.

[github-actions[bot]]

Closing due to inactivity. If this is still an issue please reopen or open another issue. Alternatively drop by the #sous-chefs channel on the Chef Community Slack and we'll be happy to help! Thanks, Sous-Chefs.