component/apache: deprecate ca-cert and crl. use ca-cert-dir and crl-dir instead.

component/apache/apache-backend.conf.in

@@ -23,15 +23,6 @@
  #       #  The path given to "SSLSessionCache shmcb:<folder_path>(512000)"
  #       "ssl-session-cache": "<folder_path>",
  #
- #       #  The path given to "SSLCACertificateFile" (can be empty)
- #       #  If this value is not empty, it enables client certificate check.
- #       #  (Enabling "SSLVerifyClient require")
- #       "ca-cert": "<file_path>",
- #
- #       #  The path given to "SSLCARevocationFile" (used if ca-cert is not
- #       #  empty)
- #       "crl": "<file_path>",
- #
  #       #  The path given to "SSLCACertificatePath" (can be empty)
  #       #  If this value is not empty, it enables client certificate check.
  #       #  (Enabling "SSLVerifyClient require")
@@ -78,7 +69,7 @@
  #  From to `backend-list`:
  #   - 0.0.0.0:8000 redirecting internaly to http://10.0.0.10:8001 and
  #   - [::1]:8000 redirecting internaly to http://10.0.0.10:8001
- #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert`.
+ #  only accepting requests from clients who provide a valid SSL certificate trusted in `ca-cert-dir`.
  #   - 0.0.0.0:8002 redirecting internaly to http://10.0.0.10:8003
  #   - [::1]:8002 redirecting internaly to http://10.0.0.10:8003
  #  accepting requests from any client.
@@ -92,9 +83,7 @@
  #  For more details, refer to
  #  https://docs.zope.org/zope2/zope2book/VirtualHosting.html#using-virtualhostroot-and-virtualhostbase-together
 -#}
-{% set ca_cert = parameter_dict.get('ca-cert') -%}
 {% set ca_cert_dir = parameter_dict.get('ca-cert-dir') -%}
-{% set crl = parameter_dict.get('crl') -%}
 {% set crl_dir = parameter_dict.get('crl-dir') -%}
 LoadModule unixd_module modules/mod_unixd.so
 LoadModule access_compat_module modules/mod_access_compat.so
@@ -146,24 +135,14 @@ SSLProxyEngine On
 
 # As backend is trusting Remote-User header unset it always
 RequestHeader unset Remote-User
-{% if ca_cert or ca_cert_dir -%}
+{% if ca_cert_dir -%}
 SSLVerifyClient optional
 RequestHeader set Remote-User %{SSL_CLIENT_S_DN_CN}s
 RequestHeader unset X-Forwarded-For "expr=%{SSL_CLIENT_VERIFY} != 'SUCCESS'"
-{%   if ca_cert -%}
-SSLCACertificateFile {{ ca_cert }}
-{%   endif -%}
-{%   if ca_cert_dir -%}
 SSLCACertificatePath {{ ca_cert_dir }}
-{%   endif -%}
-{%   if crl or crl_dir -%}
+{%   if crl_dir -%}
 SSLCARevocationCheck chain
-{%     if crl -%}
-SSLCARevocationFile {{ crl }}
-{%     endif -%}
-{%     if crl_dir -%}
 SSLCARevocationPath {{ crl_dir }}
-{%     endif -%}
 {%   endif -%}
 {% endif -%}
 
@@ -185,7 +164,7 @@ Listen {{ ip }}:{{ port }}
 {%   endfor -%}
 <VirtualHost *:{{ port }}>
   SSLEngine on
-{% if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%}
+{% if enable_authentication and ca_cert_dir -%}
   SSLVerifyClient require
 
   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined
@@ -204,7 +183,7 @@ Listen {{ ip }}:{{ port }}
 <VirtualHost {{ ip }}:{{ port }}>
   SSLEngine on
   Timeout 3600
-{%   if enable_authentication and (ca_cert or ca_cert_dir) and (crl or crl_dir) -%}
+{%   if enable_authentication and ca_cert_dir -%}
   SSLVerifyClient require
 
   LogFormat "%h %l %{REMOTE_USER}i %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %D" combined

component/apache/buildout.hash.cfg

@@ -14,5 +14,5 @@
 # not need these here).
 [template-apache-backend-conf]
 filename = apache-backend.conf.in
-md5sum = 4a13ad45e38e14ca7027c17192c90205
+md5sum = a169c1d6b0f2636f21f180e8a0b52137
 

software/cloudooo/buildout.hash.cfg

@@ -18,4 +18,4 @@ md5sum = 6e4431cf4b0a0d034402604b1e2844c0
 
 [template-cloudooo-instance]
 filename = instance-cloudooo.cfg.in
-md5sum = e01ee969a45d44d386653a9eb699cc59
+md5sum = 971bf5ab61012a5e227d3208f1717d3b

software/cloudooo/instance-cloudooo.cfg.in

@@ -110,9 +110,11 @@ cert = ${apache-ssl:cert}
 key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
+{% if ssl_parameter_dict.get('ca-cert') -%}
 # Client x509 auth
-ca-cert = ${apache-ssl-client:cert}
-crl = ${apache-ssl-client:crl}
+ca-cert-dir = ${apache-conf-ssl:ca-cert-dir}
+crl-dir = ${apache-conf-ssl:crl-dir}
+{% endif -%}
 
 [apache-promise]
 # Check any apache port in ipv4, expect other ports and ipv6 to behave consistently
@@ -127,8 +129,15 @@ config-http_code = 400
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
-ca-cert =  ${directory:apache-conf}/ca.crt
-crl = ${directory:apache-conf}/crl.pem
+{% if ssl_parameter_dict.get('ca-cert') -%}
+ca-cert-dir = ${directory:apache-ca-cert-dir}
+crl-dir = ${directory:apache-crl-dir}
+{{ simplefile('apache-ssl-ca', '${:ca-cert-dir}/ca.crt', ssl_parameter_dict['ca-cert']) }}
+{{ simplefile('apache-ssl-crl', '${:crl-dir}/crl.pem', ssl_parameter_dict['crl']) }}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:ca-cert-dir}"; "{{ parameter_dict['openssl'] }}/bin/c_rehash" "${apache-conf-ssl:crl-dir}"
+update-command = ${:command}
+{%- endif %}
 
 [apache-ssl]
 {% if ssl_parameter_dict.get('key') -%}
@@ -143,17 +152,6 @@ key = ${apache-conf-ssl:key}
 cert = ${apache-conf-ssl:cert}
 {%- endif %}
 
-[apache-ssl-client]
-{% if ssl_parameter_dict.get('ca-cert') -%}
-cert = ${apache-ssl-ca:rendered}
-crl = ${apache-ssl-crl:rendered}
-{{ simplefile('apache-ssl-ca', '${apache-conf-ssl:ca-cert}', ssl_parameter_dict['ca-cert']) }}
-{{ simplefile('apache-ssl-crl', '${apache-conf-ssl:crl}', ssl_parameter_dict['crl']) }}
-{% else %}
-cert =
-crl =
-{%- endif %}
-
 [apache-logrotate]
 < = logrotate-entry-base
 name = apache
@@ -268,6 +266,8 @@ link-binary =
 [directory]
 recipe = slapos.cookbook:mkdirectory
 apache-conf = ${:etc}/apache
+apache-ca-cert-dir = ${:apache-conf}/ssl.crt
+apache-crl-dir = ${:apache-conf}/ssl.crl
 bin = ${buildout:directory}/bin
 ca-dir = ${buildout:directory}/srv/ssl
 certs = ${:ca-dir}/certs