dh_param does not get rendered correctly

[vinyar]

With SSL enabled, the path to dh_param does not get rendered in supermarket.rb

My interpretation: template resource is created during compilation phase, however dh_param is declared/created at the execution phase in the recipe.

https://github.com/chef/supermarket/blob/be7bf10424daa999bee8e5dfac4e87d14b786abe/omnibus/cookbooks/omnibus-supermarket/recipes/ssl.rb#L35

https://github.com/chef/supermarket/blob/801a74049e1728d4ed55fe0aa8c07f675ba9414b/omnibus/cookbooks/omnibus-supermarket/templates/default/rails.nginx.conf.erb#L35

https://github.com/chef/supermarket/blob/801a74049e1728d4ed55fe0aa8c07f675ba9414b/omnibus/cookbooks/omnibus-supermarket/recipes/rails.rb#L51

Another issue is that there are two SSL sections they are far apart. Also, it doesn't seem to be documented that all of them have to be specified.

 47 # # ### Bring your on SSL certificate
     48 # #
     49 # # If a key and certificate are not provided, a self-signed certificate will be
     50 # # generated. To use your own, provide the paths to them and ensure SSL is
     51 # # enabled in Nginx:
     52 # #
     53 default['supermarket']['nginx']['force_ssl'] = true
     54 default['supermarket']['ssl']['certificate'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.crt'
     55 default['supermarket']['ssl']['certificate_key'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.key'

two certificate sections, 200 lines apart - should be combined

232 # # ## SSL
    233 #
    234 default['supermarket']['ssl']['directory'] = '/var/opt/supermarket/ssl'
    235 #
    236 # # Paths to the SSL certificate and key files. If these are not provided we will
    237 # # attempt to generate a self-signed certificate and use that instead.
    238 default['supermarket']['ssl']['enabled'] = true
below lines are duplicated
    239 default['supermarket']['ssl']['certificate'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.crt'
    240 default['supermarket']['ssl']['certificate_key'] = '/var/opt/supermarket/ssl/ca/market.chef.iacp.dc.key'
--->>>(this value is nil)  241 default['supermarket']['ssl']['ssl_dhparam'] = '/var/opt/supermarket/ssl/ca/dhparams.pem'
    242 #

[robbkidd]

@vinyar Are you overriding any of the attributes that are paths to SSL things? :

• ['ssl']['directory']
• ['ssl']['certificate']
• ['ssl']['certificate_key']
• ['ssl']['ssl_dhparam']

I can see a failure scenario where someone has overridden the path to ['ssl']['ssl_dhparam'] but has left ['ssl']['directory'] at default or overridden it with a different parent path than for the dhparams.:

1. Currently, the internal omnibus cookbook will always generate a dhparams file in #{node['supermarket']['ssl']['directory']}/ca/dhparams.pem (i.e. it does not use the value in ['ssl']['ssl_dhparam'] in any way for generating dhparams).
2. After writing out the dhparams file to #{node['supermarket']['ssl']['directory']}/ca/dhparams.pem, the cookbook does a weird thing to test whether it was given an overridden path to the dhparams file and, if not, sets ['ssl']['ssl_dhparam'] to the path it just wrote the file.
3. Then the cookbook will use the value for ['ssl']['ssl_dhparam'] path in writing out the NGINX site configuration

The problem is that if ['ssl']['ssl_dhparam'] was overridden to somewhere other than #{node['supermarket']['ssl']['directory']}/ca/dhparams.pem (where the file will be written, regardless of your wishes), the NGINX site config won't be referencing the generated file.

[robbkidd]

Er, and I'm not saying that this is correct behavior. I am only describing current behavior. The scenario I described is a bug, but I'm not positive it is the problem you are having.