config.ssl_pem_file doesn't work #274
Description
According to README.md the construct config.ssl_pem_file should work by providing the path to the pem file, yet I got only:
Running handlers:
[2022-08-31T11:21:05+03:00] ERROR: Running exception handlers
Running handlers complete
[2022-08-31T11:21:05+03:00] ERROR: Exception handlers complete
Infra Phase failed. 0 resources updated in 04 seconds
[2022-08-31T11:21:05+03:00] FATAL: Stacktrace dumped to /var/chef/cache/chef-stacktrace.out
[2022-08-31T11:21:05+03:00] FATAL: ---------------------------------------------------------------------------------------
[2022-08-31T11:21:05+03:00] FATAL: PLEASE PROVIDE THE CONTENTS OF THE stacktrace.out FILE (above) IF YOU FILE A BUG REPORT
[2022-08-31T11:21:05+03:00] FATAL: ---------------------------------------------------------------------------------------
[2022-08-31T11:21:05+03:00] FATAL: OpenSSL::PKey::RSAError: read_vault[Read secret at secret/my-app] (secret::create_secret line 38) had an error: OpenSSL::PKey::RSAError: Neither PUB key nor PRIV key: nested asn1 error
Maybe I'm missing something but so far I managed to make it work with ENV['SSL_CERT_FILE'].
NOT WORKING:
# Needed due to https://github.com/hashicorp/vault-ruby/issues/273
require 'tempfile'
temp_cert_file = Tempfile.new('tempfile')
Dir.glob(['/etc/ssl/certs/*.crt',
'/etc/ssl/certs/*.pem',
'/etc/chef/trusted_certs/*.crt',
'/etc/chef/trusted_certs/*.pem']).each do |ca_cert|
IO.copy_stream(ca_cert, temp_cert_file)
end
require 'vault'
Vault.configure do |config|
config.ssl_pem_file = temp_cert_file.path
end
resource_name :read_vault
provides :read_vault
unified_mode true
property :path, String, required: true
property :address, String, required: true
property :token, String, required: true
property :role_name, String, required: false
action :read do
# Need to set the vault address
Vault.address = new_resource.address
# Authenticate with the token
Vault.token = new_resource.token
if property_is_set?(:role_name) # Authenticate to Vault using the role_id
approle_id = Vault.approle.role_id(new_resource.role_name)
secret_id = Vault.approle.create_secret_id(new_resource.role_name).data[:secret_id]
Vault.auth.approle(approle_id, secret_id)
end
# Attempt to read the secret
secret = Vault.logical.read(new_resource.path)
if secret.nil?
raise "Could not read secret '#{new_resource.path}'!"
end
# Store the secret in memory only
node.run_state[new_resource.path] = secret
new_resource.updated_by_last_action(true)
end
WORKING:
# Needed due to https://github.com/hashicorp/vault-ruby/issues/273
require 'tempfile'
temp_cert_file = Tempfile.new('tempfile')
Dir.glob(['/etc/ssl/certs/*.crt',
'/etc/ssl/certs/*.pem',
'/etc/chef/trusted_certs/*.crt',
'/etc/chef/trusted_certs/*.pem']).each do |ca_cert|
IO.copy_stream(ca_cert, temp_cert_file)
end
ENV['SSL_CERT_FILE'] = temp_cert_file.path
require 'vault'
resource_name :read_vault
provides :read_vault
unified_mode true
property :path, String, required: true
property :address, String, required: true
property :token, String, required: true
property :role_name, String, required: false
action :read do
# Need to set the vault address
Vault.address = new_resource.address
# Authenticate with the token
Vault.token = new_resource.token
if property_is_set?(:role_name) # Authenticate to Vault using the role_id
approle_id = Vault.approle.role_id(new_resource.role_name)
secret_id = Vault.approle.create_secret_id(new_resource.role_name).data[:secret_id]
Vault.auth.approle(approle_id, secret_id)
end
# Attempt to read the secret
secret = Vault.logical.read(new_resource.path)
if secret.nil?
raise "Could not read secret '#{new_resource.path}'!"
end
# Store the secret in memory only
node.run_state[new_resource.path] = secret
new_resource.updated_by_last_action(true)
end