rtkwlf / chef-x509 Goto Github PK

Okay I'm not 100% great with SSL certificates but I'm trying to get the basic workflow described in the README.md to work, so here's what I've done so far.

1. I created a sample CA cert called docker chef-ssl makeca --dn '/CN=docker' --ca-path .chef/docker --key_length=4096 --days=3650 --digest=SHA256
2. I then setup a recipe where I want a cert signed by that CA.

directory '/etc/pki/docker'
x509_certificate 'docker' do
  ca 'docker'
  key node['docker_key']
  certificate node['docker_cert']
  bits 4096
  days 365
end

1. The first chef-client is run on the node with the LWRP
   1. This does generate a key and a cert and drops it in the right places
   2. This also generates the CSR and puts it in the node attribute
2. I then run chef-ssl sign --name docker and shows the following

Search name: docker
     Node Hostname: desktop
  Certificate Type: server
    Certificate DN: /C=GB/ST=London/L=London/O=Example Ltd/OU=Certificate
Automation/CN=docker/[email protected]
      Requested CA: docker
Requested Validity: 365 days
-----BEGIN CERTIFICATE REQUEST-----
MIIE4zCCAssCAQAwgZ0xCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzAN
BgNVBAcTBkxvbmRvbjEUMBIGA1UECgwLRXhhbXBsZSBMdGQxHzAdBgNVBAsMFkNl
cnRpZmljYXRlIEF1dG9tYXRpb24xDzANBgNVBAMMBmRvY2tlcjEkMCIGCSqGSIb3
...
-----END CERTIFICATE REQUEST-----

Sign this? (yes or no) yes
Paste cert text

1. I then paste in the cacert.pem in .chef/docker (from when I created the ca)
2. I see this output and type yes in the end.

 Signed: SHA1 Fingerprint=F8:D6:F7:F0:43:52:9F:EC:82:81:45:50:90:6A:33:5D:78:0E:75:B0
Subject: /CN=docker
 Issuer: /CN=docker
-----BEGIN CERTIFICATE-----
MIIFWDCCA0CgAwIBAgIBADANBgkqhkiG9w0BAQsFADARMQ8wDQYDVQQDDAZkb2Nr
ZXIwHhcNMTYwNDA4MDYxNzU4WhcNMjYwNDA2MDYxNzU4WjARMQ8wDQYDVQQDDAZk
...
-----END CERTIFICATE-----

WARNING: Issued certificate DN does not match request DN!
Save certificate? (yes or no) yes
Saved OK

1. I then run chef on the client node and I get this.

  * x509_certificate[docker] action create [2016-04-08T07:48:13-07:00] WARN: not installing certificate docker (id d548c5b83fa61d8e3bd86ad42a7ffea9b7c86e3f9d8095c1577d3e1270bb9420), does not match key

I've boiled down the error to the x509_verify_key_cert_match in libraries and its trying to compare the n value for both keys, I've verified that they are close is size but not the same. and they aren't even a factor of one another usually. So I'd like some help trying to figure out what I'm doing wrong here.

Thanks.

I currently have a chef 12.4.1 server up and running with a node bootstrapped. I am attempting to run a chef-client with a simple resource to create an SSL certificate but am seeing errors. efchef attempts to search certificates which doesn't seem to exist and 404 not found is returned. Any suggestions? Thanks in advance.

from recipe
x509_certificate "www.example.com" do
ca "MyCA"
key "/etc/ssl/www.example.com.key"
certificate "/etc/ssl/www.example.com.cert"
end

from chef-server-cal tail
==> /var/log/opscode/nginx/access.log <==
10.201.12.4 - - [11/Feb/2016:12:17:43 -0800] "GET /organizations/corg/search/certificates?q=id:80fc0fb9266db7b83f85850fa0e6548b6d70ee68c8b5b412f1deea6ebdef0404&sort=X_CHEF_id_CHEF_X%20asc&start=0 HTTP/1.1" 404 "0.037" 100 "-" "Chef Client/12.6.0 (ruby-2.1.6-p336; ohai-8.8.1; x86_64-linux; +https://chef.io)" "127.0.0.1:8000" "404" "0.036" "12.6.0" "algorithm=sha1;version=1.0;" "cornc-dev1" "2016-02-11T20:17:43Z" "2jmj7l5rSw0yVb/vlWAYkK/YBwk=" 1142

==> /var/log/opscode/opscode-erchef/crash.log <==
2016-02-11 12:17:43 =ERROR REPORT====
{<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}

==> /var/log/opscode/opscode-erchef/erchef.log <==
2016-02-11 12:17:43.730 [error] {<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}

==> /var/log/opscode/opscode-erchef/current <==
2016-02-11_20:17:43.75868 [error] {<<"method=GET; path=/organizations/corg/search/certificates; status=404; ">>,"Not Found"}

==> /var/log/opscode/opscode-erchef/requests.log.1 <==
2016-02-11T20:17:43Z [email protected] method=GET; path=/organizations/corg/search/certificates?q=id:80fc0fb9266db7b83f85850fa0e6548b6d70ee68c8b5b412f1deea6ebdef0404&sort=X_CHEF_id_CHEF_X%20asc&start=0; status=404; req_id=g3IAA2QAEGVyY2hlZkAxMjcuMC4wLjEDAAOlyAAAAAMAAAAA; org_name=corg; msg=[110,111,32,100,97,116,97,32,98,97,103,58,32,<<...>>]; couchdb_groups=false; couchdb_organizations=false; couchdb_containers=false; couchdb_acls=false; 503_mode=false; couchdb_associations=false; couchdb_association_requests=false; req_time=31; rdbms_time=1; rdbms_count=3; solr_time=17; solr_count=1; user=cornc-dev1; req_api_version=1;`

I have two eassl gem versions on my system, v2 and v3. When x509.rb makes require 'eassl' request, the second version is loaded for some reason.
Atm i'm forcing it to load the third version by using

gem 'eassl3'
require 'eassl'

But probably that's not the best solution

For some reason im getting some problems with the CSR search. In general, Spice.nodes() at client.rb:66 returns an empty array. I have some feeling that it can be related to the presence of underscores in both csr_oubox and my CA names.

Also, Spice.nodes("*_ca:#{ca}") works, while Spice.nodes("*_*_ca:#{ca}") doesn't. Dunno why

Running chef-zero v4.5.0