Page MenuHomePhabricator

acme-chief: support for generating a concatenated cert/key file
Closed, ResolvedPublic

Description

For some uses cases, it is interesting to have a concatenated cert/key file. This single file is mandatory in some services, like haproxy in version 1.8. We are using haproxy with TLS in T195217: Simplify ingress methods for PAWS

We don't have any puppet code to generate such file, which however should be rather easy to generate with something like $ cat file.cert file.key > concat.pem.
The generated file should be regenerated when the source original cert files change, and the generated filed should notify same puppet resources as the original cert files.

Event Timeline

Restricted Application added a subscriber: Aklapper. · View Herald TranscriptJun 12 2020, 10:37 AM
Vgutierrez triaged this task as Medium priority.Jun 12 2020, 10:38 AM

Change 605237 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] acme_chief,x509: Provide .crt.key file support

https://gerrit.wikimedia.org/r/605237

Change 605254 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] api: Allow acme-chief clients to fetch .crt.key files

https://gerrit.wikimedia.org/r/605254

Change 605237 merged by Vgutierrez:
[operations/software/acme-chief@master] acme_chief,x509: Provide .crt.key file support

https://gerrit.wikimedia.org/r/605237

Change 605254 merged by Vgutierrez:
[operations/software/acme-chief@master] api: Allow acme-chief clients to fetch .crt.key files

https://gerrit.wikimedia.org/r/605254

Change 605577 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@master] Release 0.26

https://gerrit.wikimedia.org/r/605577

Change 605577 merged by Vgutierrez:
[operations/software/acme-chief@master] Release 0.26

https://gerrit.wikimedia.org/r/605577

Change 605579 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] acme_chief,x509: Provide .crt.key file support

https://gerrit.wikimedia.org/r/605579

Change 605580 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] api: Allow acme-chief clients to fetch .crt.key files

https://gerrit.wikimedia.org/r/605580

Change 605581 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] Release 0.26

https://gerrit.wikimedia.org/r/605581

Change 605582 had a related patch set uploaded (by Vgutierrez; owner: Vgutierrez):
[operations/software/acme-chief@debian] debian: Add release 0.26 to changelog

https://gerrit.wikimedia.org/r/605582

Change 605579 merged by Vgutierrez:
[operations/software/acme-chief@debian] acme_chief,x509: Provide .crt.key file support

https://gerrit.wikimedia.org/r/605579

Change 605580 merged by Vgutierrez:
[operations/software/acme-chief@debian] api: Allow acme-chief clients to fetch .crt.key files

https://gerrit.wikimedia.org/r/605580

Change 605581 merged by Vgutierrez:
[operations/software/acme-chief@debian] Release 0.26

https://gerrit.wikimedia.org/r/605581

Change 605582 merged by Vgutierrez:
[operations/software/acme-chief@debian] debian: Add release 0.26 to changelog

https://gerrit.wikimedia.org/r/605582

Mentioned in SAL (#wikimedia-operations) [2020-06-15T12:46:04Z] <vgutierrez> upload acme-chief 0.26 to apt.wm.o (buster) - T255249

Vgutierrez closed this task as Resolved.Mon, Jun 15, 12:57 PM

This seems to be working (from my tests on acmechief-test1001):

root@acmechief-test1001:/var/lib/acme-chief/certs/mirrors/new# grep "BEGIN EC PRIVATE KEY" ec-prime256v1.crt.key
-----BEGIN EC PRIVATE KEY-----
root@acmechief-test1001:/var/lib/acme-chief/certs/mirrors/new# grep "BEGIN CERT" ec-prime256v1.crt.key
-----BEGIN CERTIFICATE-----

Please do not forget to restart acme-chief and uwsgi-acme-chief after upgrading to version 0.26. This change will only be visible on certs reissued after the upgrade to 0.26.