[chef] Re: Re: Re: distribute ssl certs using encrypted data bags

[Sean OMeara < >]

Re: Sticking certificates in databags:

cat /your/private/key | sed s/$/\\\\n/ | tr -d '\n'

copy and paste into your JSON =)

-s

On Sat, Jan 7, 2012 at 12:19 AM,  
<
 >
 wrote:
>
>
> excellent! thanks brad. that got me the push i needed. this is working
> for me now. but i have a couple questions for you / the list.
>
> question 1 --
>
> when i cut n pasted the ASCII version of the cert into my json file,
> then "data bag from file'd" it, chef did not do any conversion on
> those newlines... if i understood you correctly. to illustrate:
>
> i pasted my cert:
>
> {
>  "id":"aws-creds-gurf",
>  "servercert":"MIICeDblahblahblahblahblahblah
> AlVTMRblahblahblahblahblahblah
> aklejblah="
> }
>
> knife data bag from file --secret-file ~/.chef/encrypted_data_bag_secret 
> hush data_bags/hush/aws-creds-gurf.json
> ERROR: JSON::ParserError: 705: unexpected token at '{
>
> so to get this to work, i had to insert \n by hand:
> {
>  "id":"aws-creds-gurf",
>  "servercert":"MIICeDblahblahblahblahblahblah\nAlVTMRblahblahblahblahblahblah\naklejblah="
> }
>
> then json was happy. i wonder if i misunderstood what you meant by
> copy-pasting and chef doing some internal conversion. maybe the
> conversion happens at rendering time. did you insert \n by hand?
>
>
> question 2 --
>
> if it were important, how would i get rid of the final newline in
> my resulting pem file? the app that uses the cert and key are behaving
> ok with there being a final newline. but istr some anecdote about
> needing to NOT have a final newline character. or maybe i'm
> misremembering and this is a silly question.
>
>
>
>
> On Fri, 06 Jan 2012, Brad Knowles wrote:
>
>> On Jan 6, 2012, at 4:52 PM, 
>> 
 
>>  wrote:
>>
>> > anyone have examples they can share on how they're disting ssl
>> > certificates from encrypted data bags? or, if not from data bags,
>> > how are you doing it?
>>
>> We're using encrypted data bags.  Basically, just just cut-n-paste the key 
>> and the cert into an encrypted data bag, and then you have to put together 
>> a recipe to pull that stuff out of the encrypted data bag and hand the 
>> decrypted secret as a variable to your web.conf.erb template that is being 
>> used by the apache2 cookbook to create the actual website(s) you're 
>> serving.
>>
>> For a sample certs.rb file, see 
>> <https://gist.github.com/b775da964e97a8b8c185>.  The corresponding .crt 
>> and .key files look like this:
>>
>> -----BEGIN CERTIFICATE-----
>> <%= @ssl_cert %>
>> -----END CERTIFICATE-----
>> Tue Dec 20 15:03:52 CST 2011
>>
>>
>> -----BEGIN RSA PRIVATE KEY-----
>> <%= @ssl_key %>
>> -----END RSA PRIVATE KEY-----
>> Tue Dec 20 15:05:49 CST 2011
>>
>>
>> The corresponding domain_ssl.json file might look something like this 
>> (note that this is encrypted):
>>
>> {
>>   "cert": 
>> "za90CmUqQhVYYwP4xgxoGnCdKMvjqOBl7e52mcgoBmkA6ofsFnjR/9oQ0P9x\n...LOTS.OF.GARBAGE.DELETED...\n5F1/WZjp8LyIAooI9Cz2w1eDQwuax0w3xAvc\n",
>>   "id": "domain_net_ssl",
>>   "key": 
>> "xRp8e8PNWfJFYzViJpqxF5+zwWrdm2roLxNtp75wh2so06nKzcuy3P0JvFV+\n...LOTS.OF.GARBAGE.DELETED...\nsgZdBrEsxAtgcH5A\n"
>> }
>>
>>
>> When stored in .json format, you will get the single continuous line like 
>> that, with what appear to be embedded newline characters.  However, you 
>> cut-n-paste the ASCII text version of the certificates and keys when 
>> you're creating the encrypted databag, and internally Chef will do the 
>> conversion for you.  Of course, once you create the encrypted data bag 
>> directly on the chef server, you might want to then re-export that back 
>> out to a local file that you can store in the encrypted format, which is 
>> how I was able to provide the listing above.
>>
>> Works well for us.