From f601fd4a5494b22aba8edc3085a338feb67a9a2e Mon Sep 17 00:00:00 2001 From: Tom Hughes Date: Thu, 17 Oct 2013 18:29:23 +0100 Subject: [PATCH] Rework certificate handling --- cookbooks/apache/recipes/ssl.rb | 2 ++ cookbooks/ssl/attributes/default.rb | 2 +- cookbooks/ssl/recipes/default.rb | 36 +++++++++++++++++--------- cookbooks/tilecache/metadata.rb | 1 + cookbooks/tilecache/recipes/default.rb | 3 +++ roles/tilecache.rb | 4 --- 6 files changed, 31 insertions(+), 17 deletions(-) diff --git a/cookbooks/apache/recipes/ssl.rb b/cookbooks/apache/recipes/ssl.rb index 37bf822c5..a31ac0c06 100644 --- a/cookbooks/apache/recipes/ssl.rb +++ b/cookbooks/apache/recipes/ssl.rb @@ -17,6 +17,8 @@ # limitations under the License. # +node.default[:ssl][:certificate] = node[:ssl][:certificate] | [ "openstreetmap" ] + include_recipe "apache" include_recipe "ssl" diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb index c9f1dcd66..d7a4147a0 100644 --- a/cookbooks/ssl/attributes/default.rb +++ b/cookbooks/ssl/attributes/default.rb @@ -1 +1 @@ -default[:ssl][:certificate] = "openstreetmap" +default[:ssl][:certificates] = [] diff --git a/cookbooks/ssl/recipes/default.rb b/cookbooks/ssl/recipes/default.rb index a3a2708c4..81dea8b28 100644 --- a/cookbooks/ssl/recipes/default.rb +++ b/cookbooks/ssl/recipes/default.rb @@ -29,17 +29,29 @@ cookbook_file "/etc/ssl/certs/rapidssl.pem" do backup false end -cookbook_file "/etc/ssl/certs/#{node[:ssl][:certificate]}.pem" do - owner "root" - group "root" - mode 0444 - backup false -end +[ "openstreetmap", "tile.openstreetmap" ].each do |certificate| + if node[:ssl][:certificates].include?(certificate) + cookbook_file "/etc/ssl/certs/#{certificate}.pem" do + owner "root" + group "root" + mode 0444 + backup false + end -file "/etc/ssl/private/#{node[:ssl][:certificate]}.key" do - owner "root" - group "ssl-cert" - mode 0440 - content keys[node[:ssl][:certificate]].join("\n") - backup false + file "/etc/ssl/private/#{certificate}.key" do + owner "root" + group "ssl-cert" + mode 0440 + content keys[certificate].join("\n") + backup false + end + else + file "/etc/ssl/certs/#{certificate}.pem" do + action :delete + end + + file "/etc/ssl/private/#{certificate}.key" do + action :delete + end + end end diff --git a/cookbooks/tilecache/metadata.rb b/cookbooks/tilecache/metadata.rb index ce9c0e62a..39e123ef1 100644 --- a/cookbooks/tilecache/metadata.rb +++ b/cookbooks/tilecache/metadata.rb @@ -4,4 +4,5 @@ license "Apache 2.0" description "Installs and configures a tile cache" long_description IO.read(File.join(File.dirname(__FILE__), 'README.rdoc')) version "1.0.0" +depends "ssl" depends "squid" diff --git a/cookbooks/tilecache/recipes/default.rb b/cookbooks/tilecache/recipes/default.rb index 4015f9941..d1486adcf 100644 --- a/cookbooks/tilecache/recipes/default.rb +++ b/cookbooks/tilecache/recipes/default.rb @@ -17,6 +17,9 @@ # limitations under the License. # +node.default[:ssl][:certificate] = node[:ssl][:certificate] | [ "tile.openstreetmap" ] + +include_recipe "ssl" include_recipe "squid" tilecaches = search(:node, "roles:tilecache").sort_by { |n| n[:hostname] } diff --git a/roles/tilecache.rb b/roles/tilecache.rb index 3f3f3f08d..daaaddf2c 100644 --- a/roles/tilecache.rb +++ b/roles/tilecache.rb @@ -2,9 +2,6 @@ name "tilecache" description "Role applied to all tile cache servers" default_attributes( - :ssl => { - :certificate => "tile.openstreetmap" - }, :sysctl => { :network_conntrack_time_wait => { :comment => "Only track completed connections for 30 seconds", @@ -23,6 +20,5 @@ default_attributes( run_list( "role[geodns]", - "recipe[ssl]", "recipe[tilecache]" ) -- 2.39.5