Switch main web site to letsencrypt
authorTom Hughes <tom@compton.nu>
Sat, 18 Feb 2017 11:36:39 +0000 (11:36 +0000)
committerTom Hughes <tom@compton.nu>
Sat, 18 Feb 2017 11:36:39 +0000 (11:36 +0000)
cookbooks/web/recipes/rails.rb
cookbooks/web/templates/default/apache.backend.erb
cookbooks/web/templates/default/apache.frontend.erb

index 90efbb421839fa8ffd30d605c5824396e5f7e4ce..4095be1bc06e2bba9710b26deb582825377b3f32 100644 (file)
@@ -28,6 +28,14 @@ include_recipe "nodejs"
 web_passwords = data_bag_item("web", "passwords")
 db_passwords = data_bag_item("db", "passwords")
 
+ssl_certificate "www.openstreetmap.org" do
+  domains ["www.openstreetmap.org", "www.osm.org",
+           "api.openstreetmap.org", "api.osm.org",
+           "openstreetmap.org", "osm.org"]
+  fallback_certificate "openstreetmap"
+  notifies :reload, "service[apache2]"
+end
+
 nodejs_package "svgo"
 
 template "/etc/cron.hourly/passenger" do
index 5ec7c78c6be6a266d579c4a8c3ddb89b7ddd848e..5392f4c1b59c89e91964cfeaefda28fb1eb4fc09 100644 (file)
@@ -14,6 +14,8 @@
   # Enable SSL
   #
   SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 <% end -%>
 
   #
index ceaf4874b32fc0ca2e38c648f5e4ef4acf03b226..165b4adfc9718ad970832a44af033aecb39aee5e 100644 (file)
@@ -15,6 +15,8 @@
   #
   SSLEngine on
   SSLProxyEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 <% end -%>
 
   #
@@ -56,7 +58,7 @@
   # Block changeset scraper
   #
   RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner"
-  RewriteRule . - [F,L]  
+  RewriteRule . - [F,L]
 
   #
   # Block requests for the old 404 map tile
   ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
   ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
 
+  #
+  # Redirect ACME certificate challenges
+  #
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
   #
   # Redirect trac and wiki requests to the right places
   #
   ServerAlias *
 
   SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 
   RedirectPermanent / https://www.openstreetmap.org/
 </VirtualHost>