supermarket
supermarket copied to clipboard
dh_param does not get rendered correctly
With SSL enabled, the path to dh_param does not get rendered in supermarket.rb
My interpretation: template resource is created during compilation phase, however dh_param is declared/created at the execution phase in the recipe.
https://github.com/chef/supermarket/blob/be7bf10424daa999bee8e5dfac4e87d14b786abe/omnibus/cookbooks/omnibus-supermarket/recipes/ssl.rb#L35
https://github.com/chef/supermarket/blob/801a74049e1728d4ed55fe0aa8c07f675ba9414b/omnibus/cookbooks/omnibus-supermarket/templates/default/rails.nginx.conf.erb#L35
https://github.com/chef/supermarket/blob/801a74049e1728d4ed55fe0aa8c07f675ba9414b/omnibus/cookbooks/omnibus-supermarket/recipes/rails.rb#L51
Another issue is that there are two SSL sections they are far apart. Also, it doesn't seem to be documented that all of them have to be specified.
47 # # ### Bring your on SSL certificate
48 # #
49 # # If a key and certificate are not provided, a self-signed certificate will be
50 # # generated. To use your own, provide the paths to them and ensure SSL is
51 # # enabled in Nginx:
52 # #
53 default['supermarket']['nginx']['force_ssl'] = true
54 default['supermarket']['ssl']['certificate'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.crt'
55 default['supermarket']['ssl']['certificate_key'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.key'
two certificate sections, 200 lines apart - should be combined
232 # # ## SSL
233 #
234 default['supermarket']['ssl']['directory'] = '/var/opt/supermarket/ssl'
235 #
236 # # Paths to the SSL certificate and key files. If these are not provided we will
237 # # attempt to generate a self-signed certificate and use that instead.
238 default['supermarket']['ssl']['enabled'] = true
below lines are duplicated
239 default['supermarket']['ssl']['certificate'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.crt'
240 default['supermarket']['ssl']['certificate_key'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.key'
--->>>(this value is nil) 241 default['supermarket']['ssl']['ssl_dhparam'] = '/var/opt/supermarket/ssl/ca/dhparams.pem'
242 #
@vinyar Are you overriding any of the attributes that are paths to SSL things? :
-
['ssl']['directory']
-
['ssl']['certificate']
-
['ssl']['certificate_key']
-
['ssl']['ssl_dhparam']
I can see a failure scenario where someone has overridden the path to ['ssl']['ssl_dhparam']
but has left ['ssl']['directory']
at default or overridden it with a different parent path than for the dhparams.:
- Currently, the internal omnibus cookbook will always generate a dhparams file in
#{node['supermarket']['ssl']['directory']}/ca/dhparams.pem
(i.e. it does not use the value in['ssl']['ssl_dhparam']
in any way for generating dhparams). -
After writing out the dhparams file to
#{node['supermarket']['ssl']['directory']}/ca/dhparams.pem
, the cookbook does a weird thing to test whether it was given an overridden path to the dhparams file and, if not, sets['ssl']['ssl_dhparam']
to the path it just wrote the file. - Then the cookbook will use the value for
['ssl']['ssl_dhparam']
path in writing out the NGINX site configuration
The problem is that if ['ssl']['ssl_dhparam']
was overridden to somewhere other than #{node['supermarket']['ssl']['directory']}/ca/dhparams.pem
(where the file will be written, regardless of your wishes), the NGINX site config won't be referencing the generated file.
Er, and I'm not saying that this is correct behavior. I am only describing current behavior. The scenario I described is a bug, but I'm not positive it is the problem you are having.