Commit f8f72a17 authored by Thomas Gambier's avatar Thomas Gambier 🚴🏼 Committed by Łukasz Nowak

[erp5] don't use caucase generated certificate for now

The certificates generated by caucase are not supported by Caddy (see https://www.erp5.com/project_section/vifib/forum/Problem-with-caddy-frontend-and-caucase-0.95-issued-certificate-UNinzubDv0)

/cc @rafael @alain.takoudjou

/reviewed-on nexedi/slapos!531
parent 039ba746
......@@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e
[template-balancer]
filename = instance-balancer.cfg.in
md5sum = 7fcedcacb0558e770cbb1c1d63322ea4
md5sum = a2f795e5ed9537951ee70114111930b0
[template-haproxy-cfg]
filename = haproxy.cfg.in
......
......@@ -26,10 +26,10 @@ mode = 644
updater_path='${directory:services-on-watch}/caucase-updater',
url=ssl_parameter_dict['caucase-url'],
data_dir='${directory:srv}/caucase-updater',
crt_path='${apache-conf-ssl:cert}',
crt_path='${apache-conf-ssl:caucase-cert}',
ca_path='${apache-conf-ssl:ca-cert}',
crl_path='${apache-conf-ssl:crl}',
key_path='${apache-conf-ssl:key}',
key_path='${apache-conf-ssl:caucase-key}',
on_renew='${apache-graceful:output}',
max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
template_csr_pem=ssl_parameter_dict.get('csr'),
......@@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered}
[apache-conf-ssl]
cert = ${directory:apache-conf}/apache.crt
key = ${directory:apache-conf}/apache.pem
# XXX caucase certificate is not supported by caddy for now
caucase-cert = ${directory:apache-conf}/apache-caucase.crt
caucase-key = ${directory:apache-conf}/apache-caucase.pem
ca-cert = ${directory:apache-conf}/ca.crt
crl = ${directory:apache-conf}/crl.pem
[apache-ssl]
{% if ssl_parameter_dict.get('key') -%}
key = ${apache-ssl-key:rendered}
cert = ${apache-ssl-cert:rendered}
{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
{% else %}
recipe = plone.recipe.command
command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
key = ${apache-conf-ssl:key}
cert = ${apache-conf-ssl:cert}
{%- endif %}
[apache-conf-parameter-dict]
backend-list = {{ dumps(apache_dict.values()) }}
zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
......@@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log
# Apache 2.4's default value (60 seconds) can be a bit too short
timeout = 300
# Basic SSL server configuration
cert = ${apache-conf-ssl:cert}
key = ${apache-conf-ssl:key}
cert = ${apache-ssl:cert}
key = ${apache-ssl:key}
cipher =
ssl-session-cache = ${directory:log}/apache-ssl-session-cache
# Client x509 auth
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment