TLS certificates

Developers
8

An update on these instructions - I managed to get it working and had a couple of tips that might help others:

The format of the block in the vault used for the certificate requires each line of the certificate and PK data to be indented:

ssl_secrets:
  certs:
    my_site: |
      -----BEGIN CERTIFICATE-----
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      -----END CERTIFICATE-----
  private_keys: 
    my_site: |
      -----BEGIN PRIVATE KEY-----
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
      -----END PRIVATE KEY------

Also, when running the deploy_proxy playbook, it failed consistently the first time run (the check passes fine) at this step and with this error:

RUNNING HANDLER [nginx : check nginx configuration] *********************************************************************************************************************

fatal: [197.211.237.144]: FAILED! => {"changed": true, "cmd": "nginx -t", "delta": "0:00:00.020224", "end": "2019-09-04 10:59:14.553887", "failed_when_result": true, "msg": "non-zero return code", "rc": 1, "start": "2019-09-04 10:59:14.533663", "stderr": "nginx: [emerg] cannot load certificate key \"/etc/pki/tls/private/monolith_nginx_commcarehq.org.key\": PEM_read_bio_PrivateKey() failed (SSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode)\nnginx: configuration file /etc/nginx/nginx.conf test failed", "stderr_lines": ["nginx: [emerg] cannot load certificate key \"/etc/pki/tls/private/monolith_nginx_commcarehq.org.key\": PEM_read_bio_PrivateKey() failed (SSL: error:09091064:PEM routines:PEM_read_bio_ex:bad base64 decode)", "nginx: configuration file /etc/nginx/nginx.conf test failed"], "stdout": "", "stdout_lines": []}

Running the same playbook again succeeds.

EDIT
This failure may relate to an older private key (already written to disk) that was indeed in the wrong format. That said, it's not clear why, after updating the vault with the correct key, it fails on first deploy but not on second.