default[:apache][:listen_address] = "*"
-default[:apache][:ssl][:certificate] = "openstreetmap"
-
default[:apache][:buffered_logs] = true
# limitations under the License.
#
-certificate = node[:apache][:ssl][:certificate]
-
-node.default[:ssl][:certificates] = node[:ssl][:certificates] | [certificate]
-
include_recipe "apache"
include_recipe "ssl"
apache_conf "ssl" do
template "ssl.erb"
- variables :certificate => certificate
notifies :reload, "service[apache2]"
end
-
-apache = resources("service[apache2]")
-
-apache.subscribes(:restart, "file[/etc/ssl/certs/#{certificate}.pem]")
-apache.subscribes(:restart, "file[/etc/ssl/private/#{certificate}.key]")
SSLProtocol All -SSLv2 -SSLv3
SSLHonorCipherOrder On
-SSLCipherSuite <%= node[:ssl][:ciphers] -%>
-
-SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
-SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
+SSLCipherSuite <%= node[:ssl][:ciphers] %>
<% if node[:lsb][:release].to_f < 16.04 -%>
+
SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem
<% end -%>
ssl_certificate "blogs.openstreetmap.org" do
domains "blogs.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "irc.openstreetmap.org" do
domains "irc.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "chef.openstreetmap.org" do
domains ["chef.openstreetmap.org", "chef.osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "dns.openstreetmap.org" do
domains "dns.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "forum.openstreetmap.org" do
domains ["forum.openstreetmap.org", "forum.osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "operations.osmfoundation.org" do
domains "operations.osmfoundation.org"
- fallback_certificate "osmfoundation"
notifies :reload, "service[apache2]"
end
ssl_certificate node[:git][:host] do
domains node[:git][:host]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
"gps-a.tile.openstreetmap.org",
"gps-b.tile.openstreetmap.org",
"gps-c.tile.openstreetmap.org"]
- fallback_certificate "tile.openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate details[:site] do
domains details[:site]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "lists.openstreetmap.org" do
domains "lists.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
"nominatim.openstreetmap.net",
"nominatim.openstreetmaps.org",
"nominatim.openmaps.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate site_name do
domains site_name
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate site do
domains site
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "piwik.openstreetmap.org" do
domains ["piwik.openstreetmap.org", "piwik.osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "planet.openstreetmap.org" do
domains ["planet.openstreetmap.org", "planet.osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate "hardware.openstreetmap.org" do
domains "hardware.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
-default[:ssl][:certificates] = []
default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMTMxMjExMjM0NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQG
-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSUmFwaWRTU0wg
-U0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1jBEgEu
-l9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx2GCJ
-a1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6
-msrVMNI4/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpyg
-C04q18NhWoXdXBC5VD0tA/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZD
-dvDibvDfqCl158ikh4tq8bsIyTYYZe5QQ7hdctUoOeFTPiUs2itP3YqeUFDgb5rE
-1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwR
-fap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIGA1UdEwEB
-/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0
-dHA6Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEE
-IzAhMB8GCCsGAQUFBzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMw
-QQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0
-LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1h
-bnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBWlLp6vXmp9uP+
-bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
-RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJR
-BBZqAOv5jUOB8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd
-4FB84XavXu0R0y8TubglpK9YCa81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4
-Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4lecWLVtXjCYDqwSfC2Q7sRwrp0Mr8
-2A==
------END CERTIFICATE-----
+++ /dev/null
------BEGIN CERTIFICATE-----
-MIIF2TCCA8GgAwIBAgIHHKs2Ry2cUTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
-EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
-Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NzA5WhcNMjIxMDE0MjA1
-NzA5WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
-BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
-BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
-IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4I
-PlfyiAEhG5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENV
-sTUJm9m8H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1k
-s3RVG7RLhiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125
-w2oLJxGEd2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhH
-M7BUxkYa8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQp
-Z4rEAwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-BAMCAQYwHQYDVR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaA
-FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
-AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
-Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
-OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
-b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQBSyb3zvcv566LEMsqGcvzPv6cw
-tf2R99WB4SEErQBM/+mLJ9r/8iTN/B8Pf9LR5YGSI3gW7msDLp0ASE+ugmUuh2/u
-agdfS1Zu95ZGQebd/kW5Yiqainbprb3Wc7O8MSvQLNVsa7xqOiWHqailDdeF8Wxs
-BQ70wWjLuyqBWKU+mcSf9x+EjqB60U3buAGcDYE0yoL+I2JNP22kUsBMXvJpSLHy
-36xEZGmwRinHrfDywJ1oI4qoZ3EiF77OiXp2vlRsk1yL8Bpuru2OrsIFrhNX5rnn
-cMgzuJ79SjDjmNQTa+5Ouebs387qoJ52apeq6t80RUL12k3Wh3Zt/85phnqBX9uy
-T86w4GdgOUSwRRCFZZcSed/Ul9h4IQyEmM67T2sPGdqFaZFBbBccxrn2FK7yoYB6
-4umV7yKKzP842/whVuyA/W2ihZEpA+qrA70sYESCADXnFGx2O0CDVdVc38coo1nV
-iXg+D+AG/dVXiiQcp2I4HYWTS/mTf/NE+mOYnu0miZ32/vhDbCX/B/kSPJ4RsNOA
-7uyrOwykcgOSFDbpvuaKOpGLrQwGqLODgm+p9TY5giMMjur9XH7TS1wz02dIz07u
-y2NwYWdV67vcnAt6QxRISap5RbaPviyQZxz4nFaSlTAwHoPaW1yuVS11tmsROMlR
-RNvbaAxIU4U67YaZSw==
------END CERTIFICATE-----
# limitations under the License.
#
-keys = data_bag_item("ssl", "keys")
-certs = data_bag_item("ssl", "certs")
-
package "openssl"
package "ssl-cert"
-%w(letsencrypt rapidssl startcom dhparam).each do |certificate|
+%w(letsencrypt dhparam).each do |certificate|
cookbook_file "/etc/ssl/certs/#{certificate}.pem" do
owner "root"
group "root"
end
end
-["openstreetmap", "tile.openstreetmap", "osmfoundation"].each do |certificate|
- if node[:ssl][:certificates].include?(certificate)
- file "/etc/ssl/certs/#{certificate}.pem" do
- owner "root"
- group "root"
- mode 0o444
- content certs[certificate].join("\n")
- backup false
- end
-
- file "/etc/ssl/private/#{certificate}.key" do
- owner "root"
- group "ssl-cert"
- mode 0o440
- content keys[certificate].join("\n")
- backup false
- end
- else
- file "/etc/ssl/certs/#{certificate}.pem" do
- action :delete
- end
+["openstreetmap", "tile.openstreetmap", "osmfoundation", "rapidssl", "startcom"].each do |certificate|
+ file "/etc/ssl/certs/#{certificate}.pem" do
+ action :delete
+ end
- file "/etc/ssl/private/#{certificate}.key" do
- action :delete
- end
+ file "/etc/ssl/private/#{certificate}.key" do
+ action :delete
end
end
property :name, String
property :domains, [String, Array], :required => true
-property :fallback_certificate, String
action :create do
node.default[:letsencrypt][:certificates][name] = {
manage_symlink_source false
force_unlink true
end
- elsif fallback_certificate
- link "/etc/ssl/certs/#{name}.pem" do
- to "#{fallback_certificate}.pem"
- end
-
- link "/etc/ssl/private/#{name}.key" do
- to "#{fallback_certificate}.key"
- end
else
template "/tmp/#{name}.ssl.cnf" do
cookbook "ssl"
ssl_certificate "stats.openstreetmap.org" do
domains ["stats.openstreetmap.org", "stats.osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate site_name do
domains site_name
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
ssl_certificate site_name do
domains site_name
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
"a.tile.openstreetmap.org",
"b.tile.openstreetmap.org",
"c.tile.openstreetmap.org"]
- fallback_certificate "tile.openstreetmap"
notifies :restart, "service[nginx]"
end
ssl_certificate "trac.openstreetmap.org" do
domains "trac.openstreetmap.org"
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
domains ["www.openstreetmap.org", "www.osm.org",
"api.openstreetmap.org", "api.osm.org",
"openstreetmap.org", "osm.org"]
- fallback_certificate "openstreetmap"
notifies :reload, "service[apache2]"
end
projects / chef.git / commitdiff