diff --git a/stack/erp5/buildout.hash.cfg b/stack/erp5/buildout.hash.cfg index 0769bce84b713c24d8fd663dadb3f27032285865..016f38ee89285c3ad8522ab058014d370ac79651 100644 --- a/stack/erp5/buildout.hash.cfg +++ b/stack/erp5/buildout.hash.cfg @@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e [template-balancer] filename = instance-balancer.cfg.in -md5sum = 7fcedcacb0558e770cbb1c1d63322ea4 +md5sum = a2f795e5ed9537951ee70114111930b0 [template-haproxy-cfg] filename = haproxy.cfg.in diff --git a/stack/erp5/instance-balancer.cfg.in b/stack/erp5/instance-balancer.cfg.in index 2752f1fba28543f8b2c33f413c482f76c720887f..25156db54d25aa568fbfee9bcd8042481dd5b546 100644 --- a/stack/erp5/instance-balancer.cfg.in +++ b/stack/erp5/instance-balancer.cfg.in @@ -26,10 +26,10 @@ mode = 644 updater_path='${directory:services-on-watch}/caucase-updater', url=ssl_parameter_dict['caucase-url'], data_dir='${directory:srv}/caucase-updater', - crt_path='${apache-conf-ssl:cert}', + crt_path='${apache-conf-ssl:caucase-cert}', ca_path='${apache-conf-ssl:ca-cert}', crl_path='${apache-conf-ssl:crl}', - key_path='${apache-conf-ssl:key}', + key_path='${apache-conf-ssl:caucase-key}', on_renew='${apache-graceful:output}', max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0), template_csr_pem=ssl_parameter_dict.get('csr'), @@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered} [apache-conf-ssl] cert = ${directory:apache-conf}/apache.crt key = ${directory:apache-conf}/apache.pem +# XXX caucase certificate is not supported by caddy for now +caucase-cert = ${directory:apache-conf}/apache-caucase.crt +caucase-key = ${directory:apache-conf}/apache-caucase.pem ca-cert = ${directory:apache-conf}/ca.crt crl = ${directory:apache-conf}/crl.pem +[apache-ssl] +{% if ssl_parameter_dict.get('key') -%} +key = ${apache-ssl-key:rendered} +cert = ${apache-ssl-cert:rendered} +{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }} +{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }} +{% else %} +recipe = plone.recipe.command +command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}" +key = ${apache-conf-ssl:key} +cert = ${apache-conf-ssl:cert} +{%- endif %} + [apache-conf-parameter-dict] backend-list = {{ dumps(apache_dict.values()) }} zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }} @@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log # Apache 2.4's default value (60 seconds) can be a bit too short timeout = 300 # Basic SSL server configuration -cert = ${apache-conf-ssl:cert} -key = ${apache-conf-ssl:key} +cert = ${apache-ssl:cert} +key = ${apache-ssl:key} cipher = ssl-session-cache = ${directory:log}/apache-ssl-session-cache # Client x509 auth