tlsinfo

Table of Contents

1. Description
2. Setup - The basics of getting started with tlsinfo
   • Beginning with tlsinfo
   • Sslkey
   • Sslcertificate
3. Usage - Configuration options and additional functionality
4. Limitations - OS compatibility, etc.

Description

tlsinfo module rpovide ability to manage x509 certificates and private keys on server node with proper validation checking (over dates, CA issuers, common names etc)

Also there is tlsinfo::tools::cfssl which installs CloudFlare CF SSL toolkits into /usr/local/bin

There are useful defined types provided:

• tlsinfo::certpair
• tlsinfo::certificate

See REFERENCE.md for details

Setup

Beginning with tlsinfo

Module provides two custom types:

sslkey { '/etc/pki/tls/private/www.domain.com.key':
  ensure   => present,
  password => 'SecureSecret',
  path     => '/etc/pki/tls/private/www.domain.com.key',
  replace  => true,
  content  => lookup('www_domain_com_private', String, 'first'),
}

and

sslcertificate { 'www.domain.com':
  ensure   => present,
  path     => '/etc/pki/tls/certs/www.domain.com.pem',
  pkey     => '/etc/pki/tls/private/www.domain.com.key',
  cacert   => true,
  replace  => true,
  chain    => true,
  strict   => true,
  identity => ['www.domain.com', 'domain.com'],
  content  => lookup('www_domain_com_certificate', String, 'first'),
}

Sslkey

sslkey title

Must be full path to private key because Sslcertificate[pkey] has requirement to be absolute path.

sslkey::ensure

Default value is present

If defined as absent - private key file will be removed by unlink()

sslkey::passowrd

Encrypted private key password. Must be a String or nil (undef). Can not be empty string.

sslkey::path

Absolute path to Private key file. It is namevar parameter (set to title value if not specified). Required parameter.

sslkey::replace

Boolean. Default value is true.

If true than content value will replace existing private key file. Otherwise - noop.

sslkey::content

String. Required parameter

Must not be empty. Should be valid RSA private key in DER or PEM encoding form. Key size must be greate or equal 2048 bits

Sslcertificate

SSL certificate provided via content parameter will be checked over pkey private key.

sslcertificate title

By default it should be full path to certificate file (eg /etc/pki/tls/certs/4f06f81d.pem) but not neccesarry.

Could be any string.

Sslcertificate type applies title pattern to get name variable parameter path. Therefore path if not defined will be set to title value (trimming last hashes /)

sslcertificate::ensure

Default value is present

If defined as absent - certificate file will be removed by unlink()

sslcertificate::subject_hash (readonly)

Represent certificate subject hash openssl x509 -subject_hash

sslcertificate::subject_hash_old (readonly)

Represent certificate subject old hash openssl x509 -subject_hash_old

sslcertificate::path

Absolute path to certificate file. It is namevar parameter (set to title value if not specified). Required parameter.

sslcertificate::pkey

Absolute path to Private key file. Required parameter.

Puppet catalog should consist Sslkey resource with title that match pkey parameter.

sslcertificate::cacert

Default value: undef

Possible values are:

• true (Intermediate CA should be defined in Puppet catalog as Sslcertificate resource),
• false (we don't care about Intermediate CA),
• String. Any of certificate path, Sslcertificate resource title, certificate subject hash (openssl x509 -subject_hash) or old hash (openssl x509 -subject_hash_old). Should be defined in Puppet catalog as Sslcertificate resource
• Array of strings (list of CA certificates)

sslcertificate::replace

Boolean. Default value is true.

If true than content value will replace existing certificate file. Otherwise - noop.

sslcertificate::chain

Boolean. Default is true

If true than Intermediate CA certificate will be placed into PEM file.

sslcertificate::rootca

Boolean. Default is false

If true than content of Root CA will be included into PEM file if CA bundle exists on host This option is useful for self-signed CA

sslcertificate::strict

Boolean. Default is true

If true and cacert specified than cert chain will be checked over root certificate bundle (catalog compilation will fail if CA certificate is not valid)

sslcertificate::identity

Certificate identities. Could be String or list of strings

Each identity will be checked over Common Name or Alternative Names (DNS). If any of them missed - resource compilation will fail.

sslcertificate::content

Certificate PEM data. Required parameter. Can not be empty

It should be valid x509 certificate with valid term of validity

Usage

It is required to include tlsinfo module into current scope to make parmeters tlsinfo::certbase and tlsinfo::keybase available

include tlsinfo

Example:

  tlsinfo::certificate { 'LetsEncryptAuthorityX3':
    cert => file('profile/certs/LetsEncryptAuthorityX3.crt'),
  }

  $server_name = 'registry.domain.com'
  tlsinfo::certpair { $server_name:
    identity => true,
  }

  # get certificate data from Hiera
  $certdata = tlsinfo::lookup($server_name)

  $ssl_cert_path = tlsinfo::certpath($certdata)
  $ssl_key_path = tlsinfo::keypath($certdata)

  class { 'profile::registry::nginx':
    server_name      => $server_name,
    ...
    ...
    ssl              => true,
    ssl_cert         => $ssl_cert_path,
    ssl_key          => $ssl_key_path,
    require          => Tlsinfo::Certpair[$server_name],
  }

In this example defined type Tlsinfo::Certificate will create certificate /etc/pki/tls/certs/4f06f81d.pem (4f06f81d is a certificate subject hash).

Tlsinfo::Certpair will look for registry_domain_com_certificate and registry_domain_com_private keys through Hiera (this behavior defined by function tlsinfo::lookup).

It will define certpair Sslcertificate[/etc/pki/tls/certs/registry.domain.com.pem] and Sslkey[/etc/pki/tls/private/registry.domain.com.key].

By default certificate file /etc/pki/tls/certs/registry.domain.com.pem will consists Intermediate CA certificate on the bottom if such Intermediate CA certificate exists in Puppet catalog (defined via Tlsinfo::Certificate)

Path to certificate could be get via function tlsinfo::certpath and path to private key - via tlsinfo::keypath

Reference

See REFERENCE.md

Limitations

Module uses Ruby library 'openssl'

For unknown reasons this library has unpredicted behavior like:

1) returns old hash instead of new (for certificate Subject and Issuer fields) therefore both hashes in use for certificates lookup 2) returns negative (signed) values for Subject and Issuer hashes (eg -ece330c instead of f131ccf4)

Therefore it is better to use module functions for default path calculation (tlsinfo::certpath and tlsinfo::keypath)

Reference

Table of Contents

Classes

• tlsinfo: A short summary of the purpose of this class
• tlsinfo::params
• tlsinfo::tools::cfssl: CFSSL toolkit installation

Defined types

• tlsinfo::certificate: SSL certificate setup
• tlsinfo::certpair: Certificate pair.

Resource types

• sslcertificate: Certificate subject hash (read only)
• sslkey: Encrypted private key password

Functions

• tlsinfo::certpath
• tlsinfo::keypath
• tlsinfo::lookup
• tlsinfo::normalize

Plans

• tlsinfo::update: Update certificate and private key

Classes

tlsinfo

A description of what this class does

Examples

include tlsinfo

Parameters

The following parameters are available in the tlsinfo class.

certbase

Data type: Optional[Stdlib::Unixpath]

Directory where certificate files are stored in the system (RedHat and Debian based systems are predefined)

keybase

Data type: Optional[Stdlib::Unixpath]

Directory where private key files are stored in the system (RedHat and Debian based systems are predefined)

cfssl_version

Data type: Optional[String]

Version of CF SSL toolkit to install using tlsinfo::tools::cfssl see https://github.com/cloudflare/cfssl/releases

tlsinfo::params

The tlsinfo::params class.

tlsinfo::tools::cfssl

CFSSL toolkit installation

Examples

include tlsinfo::tools::cfssl

Parameters

The following parameters are available in the tlsinfo::tools::cfssl class.

version

Data type: Optional[Pattern[/^1\.[4-9][1-9]?\./]]

Default value: $tlsinfo::cfssl_version

download_source

Data type: String

Default value: $tlsinfo::params::cfssl_download_source

tmpdir

Data type: Stdlib::Absolutepath

Default value: $tlsinfo::params::download_tmpdir

Defined types

tlsinfo::certificate

SSL certificate setup

Examples

Considering 'basepath' as '/etc/pki/tls/certs' (default to CentOS)
this will create certificate file '/etc/pki/tls/certs/<subject_hash>.pem' as well
as will create file '/etc/pki/tls/certs/4f06f81d.crt' and also will create symlink
'/etc/pki/tls/certs/LetsEncryptAuthorityX3.pem' which points to '<subject_hash>.pem'
Also it will push content of Intermediate CA certificate into certificate
file as well as Root CA certificate

tlsinfo::certificate { "/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3":
  cert   => file('profile/certs/4f06f81d.crt'),
  link   => 'LetsEncryptAuthorityX3.pem',
  path   => '4f06f81d.crt',
  cacert => true,
  rootca => true,
}

Example of intermediate certificates chain:

tlsinfo::certificate { '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO High Assurance Secure Server CA':
  cert => file('profile/certs/ComodoHighAssuranceSecureServerCA.crt'),
  link => 'ComodoHighAssuranceSecureServerCA.pem',
  path => 'ComodoHighAssuranceSecureServerCA.crt',
}

tlsinfo::certificate { '/C=GB/ST=Greater Manchester/L=Salford/O=COMODO CA Limited/CN=COMODO RSA Domain Validation Secure Server CA':
  cert   => file('profile/certs/COMODORSADomainValidationSecureServerCA.crt'),
  link   => 'COMODORSADomainValidationSecureServerCA.pem',
  path   => 'COMODORSADomainValidationSecureServerCA.crt',
  cacert => true,
}

Parameters

The following parameters are available in the tlsinfo::certificate defined type.

cert

Data type: Optional[String]

Certificate data to use for verification and processing. If not provided tlsinfo::certificate will look for Hiera key "#{name}certificate" with "name" normalized with next rules (string replacement): 1) '*' -> 'wildcard' 2) '.' -> '' 3) '-' -> '' 4) "'" -> '' 5) ' ' -> '_'

Default value: undef

basepath

Data type: Optional[Stdlib::Unixpath]

System path where certificate data usually stored (eg /etc/pki/tls/certs on CentOS)

Default value: $tlsinfo::certbase

cacert

Data type: Optional[ Variant[ Boolean, Stdlib::Unixpath, Array[Stdlib::Unixpath] ] ]

Could be Boolean true or false:

• true means CA Intermediate certificate already MUST be defined in catalog
• false means we do not manage CA Intermediate certificate (therefore validation over CA will not happen) Also could be a Full path to certificate or array of paths (for example, if certificate chain has 2 or more Intermediate CA)

Default value: undef

path

Data type: Optional[ Variant[ Stdlib::Unixpath, Pattern[/^[^\/]+\.(pem|crt|cer|cert)$/] # basename (relative to basepath/certbase) ] ]

Absolute path or relative to system certificate base directory where certificate data either provided with parameter cert or found using Hiera key #{name}_certificate should be stored. It will be saved "as is" without verification and processing

Default value: undef

rootca

Data type: Boolean

Whether to place Root CA certificate into certificate file or not

Default value: false

chain

Data type: Boolean

Whether to place Intermediate certificate into certificate file or not

Default value: true

link

Data type: Optional[ Variant[ Stdlib::Unixpath, Pattern[/^[^\/]+\.pem$/] # basename (relative to basepath/certbase) ] ]

If provided - will create human symbolic link to certificate file (with link name provided)

Default value: undef

tlsinfo::certpair

Certificate pair

Description

Name of resource must match TLS certificate Common Name subject field. Both TLS certificate and private keys must be defined or available in Hiera

Parameters

Examples

tlsinfo::certpair { $server_name:
  identity => true,
  cert     => $ssl_cert,
  pkey     => $ssl_key,
  # in case of self signed CA
  strict   => false,
}

Parameters

The following parameters are available in the tlsinfo::certpair defined type.

name

It is used as lookup key if not provided and as identity unless identity parameter is false

cert

Data type: Optional[String]

Certificate PEM encoded data. If not provided, Puppet will look for certificate data into Hiera using function lookup() by key ${name}_certificate. Otherwise it will use provided value

Default value: undef

pkey

Data type: Optional[String]

Private key PEM encoded data. If not provided, Puppet will look for certificate data into Hiera using function lookup() by key ${name}_private. Otherwise it will use provided value

Default value: undef

cacert

Data type: Optional[ Variant[ Boolean, Stdlib::Unixpath, Array[Stdlib::Unixpath] ] ]

If String provided it will be used as one of (with same priority by looking through Puppet catalog):

• path to TLS certificate
• certificate subject hash
• Puppet Sslcertificate resource title If Boolean true provided, Puppet will look for CA intermediate certificate through resources catalog using Issuer field hash from cert parameter. If Boolean false provided - we don't care about CA intermediate certificate If Array of String provided - each String would be handled separately as part of CA chain

Default value: true

lookupkey

Data type: Optional[String]

If cert is not provided Puppet will use lookup() function with lookup key <lookupkey>_certifiacte for SSL certificate and lookup key <lookupkey>_private for SSL privae key If lookupkey is undef it will use $name as lookupkey

Default value: undef

secret

Data type: Optional[String]

Password for encrypted private key

Default value: undef

certbase

Data type: Optional[Stdlib::Unixpath]

Directory where certificate files are stored in the system (RedHat and Debian based systems are predefined)

Default value: $tlsinfo::certbase

keybase

Data type: Optional[Stdlib::Unixpath]

Directory where private key files are stored in the system (RedHat and Debian based systems are predefined)

Default value: $tlsinfo::keybase

identity

Data type: Optional[ Variant[ Boolean, String, Array[String, 1] ] ]

Identtity which certificate should represent (eg domain name). Certificate Common Name or any of DNS names must match identity field If Boolean true - resource $name is used as identity If String - it will be used as identity alon with $name If Array - it will be used as array of identities along with $name

Default value: undef

rootca

Data type: Boolean

Whether to place Root CA certificate into certificate file or not

Default value: false

validate

Data type: Boolean

Whether to validate certificate expiration (Allow to define expired certificates in Puppet catalog to not fail catalog compilation)

Default value: true

strict

Data type: Boolean

Whether to validate Root CA validity

Default value: true

Resource types

sslcertificate

Certificate subject hash (read only)

Properties

The following properties are available in the sslcertificate type.

content

Certificate content

ensure

Valid values: absent, present

The basic property that the resource should be in.

Default value: present

Parameters

The following parameters are available in the sslcertificate type.

cacert

Could be Boolean true or false:

• true means CA Intermediate certificate already MUST be defined in catalog
• false means we do not manage CA Intermediate certificate (therefore validation over CA will not happen) Also could be a Full path to certificate or array of paths (for example, if certificate chain has 2 or more Intermediate CA)

chain

Valid values: true, false, yes, no

Whether to place Intermediate certificate into certificate file or not

Default value: true

expiration

Valid values: true, false, yes, no

Validate certificate validity period

Default value: true

identity

Identtity which certificate should represent (eg domain name). Certificate Common Name or any of DNS names must match identity field

path

namevar

The path to the certificate to manage. Must be fully qualified.

pkey

The path to the private key to use. Must be fully qualified.

provider

The specific backend to use for this sslcertificate resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

replace

Valid values: true, false, yes, no

Whether to replace a certificate file that already exists on the local system but which content doesn't match what the content attribute specifies. Set this to false allows Sslcertificate resources to initialize certificate file without overwriting it (for example, by updating it with IM CA). Note that this only affects content; Puppet will still manage ownership and permissions. Defaults to true.

Default value: true

rootca

Valid values: true, false, yes, no

Whether to place Root CA certificate into certificate file or not

Default value: false

strict

Valid values: true, false, yes, no

Strictly validate over root CA bundle

Default value: true

subject_hash

Certificate subject hash (read only)

subject_hash_old

Certificate subject hash for old algorithm (read only)

sslkey

Encrypted private key password

Properties

The following properties are available in the sslkey type.

content

Private Key content

ensure

Valid values: absent, present

The basic property that the resource should be in.

Default value: present

password

Encrypted private key password

Parameters

The following parameters are available in the sslkey type.

path

namevar

The path to the private key to manage. Must be fully qualified.

provider

The specific backend to use for this sslkey resource. You will seldom need to specify this --- Puppet will usually discover the appropriate provider for your platform.

replace

Valid values: true, false, yes, no

Whether to replace a private key file that already exists on the local system but whose content doesn't match what the content attribute specifies. Setting this to false allows Sslkey resources to initialize private key file without overwriting already existing. Note that this only affects content; Puppet will still manage ownership and permissions. Defaults to true.

Default value: true

Functions

tlsinfo::certpath

Type: Ruby 4.x API

The tlsinfo::certpath function.

tlsinfo::certpath(String $cert, Optional[Stdlib::Unixpath] $basepath)

The tlsinfo::certpath function.

Returns: Any

cert

Data type: String

basepath

Data type: Optional[Stdlib::Unixpath]

tlsinfo::keypath

Type: Ruby 4.x API

The tlsinfo::keypath function.

tlsinfo::keypath(String $cert, Optional[Stdlib::Unixpath] $basepath)

The tlsinfo::keypath function.

Returns: Any

cert

Data type: String

basepath

Data type: Optional[Stdlib::Unixpath]

tlsinfo::lookup

Type: Ruby 4.x API

The tlsinfo::lookup function.

tlsinfo::lookup(String $key, Optional[Boolean] $private)

The tlsinfo::lookup function.

Returns: Any

key

Data type: String

private

Data type: Optional[Boolean]

tlsinfo::normalize

Type: Ruby 4.x API

The tlsinfo::normalize function.

tlsinfo::normalize(String $name)

The tlsinfo::normalize function.

Returns: Any

name

Data type: String

Plans

tlsinfo::update

Update certificate and private key. Works only in conjuction with Hiera

Parameters

The following parameters are available in the tlsinfo::update plan.

targets

Data type: TargetSpec

Nodes on which certificate should be installed

lookupkey

Data type: String

Certificate for which lookup inside Hiera. In most cases it is subject common name

restart_nginx

Data type: Boolean

Flag whether to restart Nginx or not

Default value: false

Changelog

All notable changes to this project will be documented in this file.

Release 0.3.6

Features

Bugfixes

• Updated dependencies' versions

Known Issues

Release 0.3.7

Features

Bugfixes

• Updated plan to match latest puppet module changes

Known Issues

Release 0.4.0

Features

• PDK upgrade to 3.0.0

Bugfixes

• Updated dependencies

Known Issues

Release 0.5.0

Features

• Use bsys for certbase and keybase

Bugfixes

Known Issues

Release 0.6.0

Features

• Added some types to operate CFSSL configuration

Bugfixes

Known Issues

Release 0.6.1

Features

Bugfixes

• Bugfix: in Tlsinfo::Signing fix for default keyword

Known Issues

Release 0.7.0

Features

• Added Bolt plan tlsinfo::cfssl

Bugfixes

Known Issues

Release 0.8.0

Features

• Added tlsinfo::cfssl::ca_config to manage CA configuration for CFSSL

Bugfixes

Known Issues