Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

config.ssl_pem_file doesn't work #274

Open
hunter86bg opened this issue Aug 31, 2022 · 1 comment
Open

config.ssl_pem_file doesn't work #274

hunter86bg opened this issue Aug 31, 2022 · 1 comment

Comments

@hunter86bg
Copy link

According to README.md the construct config.ssl_pem_file should work by providing the path to the pem file, yet I got only:

Running handlers:
[2022-08-31T11:21:05+03:00] ERROR: Running exception handlers
Running handlers complete
[2022-08-31T11:21:05+03:00] ERROR: Exception handlers complete
Infra Phase failed. 0 resources updated in 04 seconds
[2022-08-31T11:21:05+03:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2022-08-31T11:21:05+03:00] FATAL: ---------------------------------------------------------------------------------------
[2022-08-31T11:21:05+03:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2022-08-31T11:21:05+03:00] FATAL: ---------------------------------------------------------------------------------------
[2022-08-31T11:21:05+03:00] FATAL: OpenSSL::PKey::RSAError: read_vault[Read secret at secret/my-app] (secret::create_secret line 38) had an error: OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error

Maybe I'm missing something but so far I managed to make it work with ENV['SSL_CERT_FILE'].

NOT WORKING:

# Needed due to https://github.com/hashicorp/vault-ruby/issues/273 
require 'tempfile'
temp_cert_file = Tempfile.new('tempfile')
Dir.glob(['/etc/ssl/certs/*.crt',
          '/etc/ssl/certs/*.pem',
          '/etc/chef/trusted_certs/*.crt',
          '/etc/chef/trusted_certs/*.pem']).each do |ca_cert|
  IO.copy_stream(ca_cert, temp_cert_file)
end

require 'vault'

Vault.configure do |config|
  config.ssl_pem_file = temp_cert_file.path
end

resource_name :read_vault
provides :read_vault
unified_mode true

property :path, String, required: true
property :address, String, required: true
property :token, String, required: true
property :role_name, String, required: false

action :read do
  # Need to set the vault address
  Vault.address = new_resource.address

  # Authenticate with the token
  Vault.token = new_resource.token
  if property_is_set?(:role_name) # Authenticate to Vault using the role_id
    approle_id = Vault.approle.role_id(new_resource.role_name)
    secret_id = Vault.approle.create_secret_id(new_resource.role_name).data[:secret_id]
    Vault.auth.approle(approle_id, secret_id)
  end
  # Attempt to read the secret
  secret = Vault.logical.read(new_resource.path)
  if secret.nil?
    raise "Could not read secret '#{new_resource.path}'!"
  end
  # Store the secret in memory only
  node.run_state[new_resource.path] = secret
  new_resource.updated_by_last_action(true)
end

WORKING:

# Needed due to https://github.com/hashicorp/vault-ruby/issues/273
require 'tempfile'
temp_cert_file = Tempfile.new('tempfile')
Dir.glob(['/etc/ssl/certs/*.crt',
          '/etc/ssl/certs/*.pem',
          '/etc/chef/trusted_certs/*.crt',
          '/etc/chef/trusted_certs/*.pem']).each do |ca_cert|
  IO.copy_stream(ca_cert, temp_cert_file)
end

ENV['SSL_CERT_FILE'] = temp_cert_file.path

require 'vault'

resource_name :read_vault
provides :read_vault
unified_mode true

property :path, String, required: true
property :address, String, required: true
property :token, String, required: true
property :role_name, String, required: false

action :read do
  # Need to set the vault address
  Vault.address = new_resource.address

  # Authenticate with the token
  Vault.token = new_resource.token
  if property_is_set?(:role_name) # Authenticate to Vault using the role_id
    approle_id = Vault.approle.role_id(new_resource.role_name)
    secret_id = Vault.approle.create_secret_id(new_resource.role_name).data[:secret_id]
    Vault.auth.approle(approle_id, secret_id)
  end
  # Attempt to read the secret
  secret = Vault.logical.read(new_resource.path)
  if secret.nil?
    raise "Could not read secret '#{new_resource.path}'!"
  end
  # Store the secret in memory only
  node.run_state[new_resource.path] = secret
  new_resource.updated_by_last_action(true)
end
@hunter86bg
Copy link
Author

Chef Client OS: RHEL9
Chef Infra Client: 17.10.3

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

1 participant