Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Subdir for ssl certs #80

Closed
igoraj opened this issue Jun 28, 2013 · 7 comments · Fixed by #623
Closed

Subdir for ssl certs #80

igoraj opened this issue Jun 28, 2013 · 7 comments · Fixed by #623

Comments

@igoraj
Copy link
Contributor

igoraj commented Jun 28, 2013

If you have a lot of SSL vhosts /etc/nginx tends to be overcrowded with *.crt and *.key files. Just for housekeeping sake I think it would be better to create a subdir under ${nginx::params::nx_conf_dir} e.g. ${nginx::params::nx_conf_dir}/ssl and keep all cert files there, or even make that one a separate param e.g. ${nginx::params::nx_ssl_cert_dir} or something.

What do you guys think about this?
@jfryman
Copy link
Contributor

jfryman commented Jul 1, 2013

I absolutely like the concept. I'd be more apt to use a separate param in the event that someone wants to store SSL certs somewhere more LSB-like, or in an already existing or managed SSL directory. (Might be good to do an ensure_resource call on the directory for management to avoid stepping on toes and whatnot).

Wanna work up a PR? Happy to help with this as well.

@igoraj
Copy link
Contributor Author

igoraj commented Jul 2, 2013

Sure that makes sense. I can prepare it, sure.

@schkovich
Copy link

Why copying certificates? I would stick to KISS and assign the user given paths directly to corresponding nginx configuration keys. Compare Fork I made a few more changes but you will figure it out. :)

@abraham1901
Copy link
Contributor

Why? Automatic deploy ssl key from puppet is KISS.

@schkovich
Copy link

I agree. However coping around SSL key and certificate is not. It is an extra step.

Further on coping certificates to nginx folder is enforcing specific configuration which might or might not be desirable. Default SSL key/cert location both on Debian and Red Hat is /etc/ssl.

Where SSL key/cert reside is not concern of the nginx module. Module should only update vhost configuration based on user input and not move SSL key/cert around. It is on user to manage certificates.

Coping certificates is not transparent. Lets say that the key/cert are in /etc/ssl. Few months later certificate expires. The user will update certificate at /etc/ssl completely unaware that actually certificates where copied and that nginx will continue to read copies.

@igoraj
Copy link
Contributor Author

igoraj commented Nov 12, 2013

Yep, I agree, you guys have a valid point, this module should provide only a means to specify a path to your cert dir which should default to whatever is distro default. @jfryman what do you think about this?

@hdanes hdanes mentioned this issue Jan 2, 2014
Closed
@3flex 3flex mentioned this issue Aug 25, 2014
Closed
@3flex 3flex mentioned this issue Apr 10, 2015
Closed
5 tasks
@3flex
Copy link
Contributor

3flex commented Apr 10, 2015

Hi, please add any relevant comments to #599 regarding how the module will treat SSL certificates going forward.

@3flex 3flex mentioned this issue May 6, 2015
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

SSL updates
5 participants
@jfryman @3flex @schkovich @abraham1901 @igoraj