Remove legacy certificate support
authorTom Hughes <tom@compton.nu>
Sun, 19 Feb 2017 19:19:36 +0000 (19:19 +0000)
committerTom Hughes <tom@compton.nu>
Sun, 19 Feb 2017 19:27:54 +0000 (19:27 +0000)
30 files changed:
cookbooks/apache/attributes/default.rb
cookbooks/apache/recipes/ssl.rb
cookbooks/apache/templates/default/ssl.erb
cookbooks/blogs/recipes/default.rb
cookbooks/cgiirc/recipes/default.rb
cookbooks/chef/recipes/server.rb
cookbooks/dns/recipes/default.rb
cookbooks/forum/recipes/default.rb
cookbooks/foundation/recipes/owg.rb
cookbooks/git/recipes/web.rb
cookbooks/gps-tile/recipes/default.rb
cookbooks/kibana/recipes/default.rb
cookbooks/mailman/recipes/default.rb
cookbooks/nominatim/recipes/default.rb
cookbooks/osqa/recipes/default.rb
cookbooks/otrs/recipes/default.rb
cookbooks/piwik/recipes/default.rb
cookbooks/planet/recipes/default.rb
cookbooks/serverinfo/recipes/default.rb
cookbooks/ssl/attributes/default.rb
cookbooks/ssl/files/default/rapidssl.pem [deleted file]
cookbooks/ssl/files/default/startcom.pem [deleted file]
cookbooks/ssl/recipes/default.rb
cookbooks/ssl/resources/certificate.rb
cookbooks/stats/recipes/default.rb
cookbooks/subversion/recipes/default.rb
cookbooks/taginfo/recipes/default.rb
cookbooks/tilecache/recipes/default.rb
cookbooks/trac/recipes/default.rb
cookbooks/web/recipes/rails.rb

index 46feacd..8e05105 100644 (file)
@@ -28,6 +28,4 @@ default[:apache][:event][:max_connections_per_child] = 0
 
 default[:apache][:listen_address] = "*"
 
-default[:apache][:ssl][:certificate] = "openstreetmap"
-
 default[:apache][:buffered_logs] = true
index b9b2ca3..b2818df 100644 (file)
 # limitations under the License.
 #
 
-certificate = node[:apache][:ssl][:certificate]
-
-node.default[:ssl][:certificates] = node[:ssl][:certificates] | [certificate]
-
 include_recipe "apache"
 include_recipe "ssl"
 
@@ -28,11 +24,5 @@ apache_module "ssl"
 
 apache_conf "ssl" do
   template "ssl.erb"
-  variables :certificate => certificate
   notifies :reload, "service[apache2]"
 end
-
-apache = resources("service[apache2]")
-
-apache.subscribes(:restart, "file[/etc/ssl/certs/#{certificate}.pem]")
-apache.subscribes(:restart, "file[/etc/ssl/private/#{certificate}.key]")
index 03b77f5..17ee112 100644 (file)
@@ -3,11 +3,9 @@
 SSLProtocol All -SSLv2 -SSLv3
 
 SSLHonorCipherOrder On
-SSLCipherSuite <%= node[:ssl][:ciphers] -%>
-
-SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
-SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
+SSLCipherSuite <%= node[:ssl][:ciphers] %>
 <% if node[:lsb][:release].to_f < 16.04 -%>
+
 SSLCertificateChainFile /etc/ssl/certs/letsencrypt.pem
 <% end -%>
 
index c2a4a1c..8389b62 100644 (file)
@@ -61,7 +61,6 @@ end
 
 ssl_certificate "blogs.openstreetmap.org" do
   domains "blogs.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 173eebf..2c80239 100644 (file)
@@ -40,7 +40,6 @@ end
 
 ssl_certificate "irc.openstreetmap.org" do
   domains "irc.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 2ebf64f..fe668ad 100644 (file)
@@ -80,7 +80,6 @@ apache_module "proxy_http"
 
 ssl_certificate "chef.openstreetmap.org" do
   domains ["chef.openstreetmap.org", "chef.osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 4fbde88..8db66d6 100644 (file)
@@ -73,7 +73,6 @@ end
 
 ssl_certificate "dns.openstreetmap.org" do
   domains "dns.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 7130c17..7288824 100644 (file)
@@ -33,7 +33,6 @@ apache_module "rewrite"
 
 ssl_certificate "forum.openstreetmap.org" do
   domains ["forum.openstreetmap.org", "forum.osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index a34a16f..cc093b3 100644 (file)
@@ -58,7 +58,6 @@ end
 
 ssl_certificate "operations.osmfoundation.org" do
   domains "operations.osmfoundation.org"
-  fallback_certificate "osmfoundation"
   notifies :reload, "service[apache2]"
 end
 
index 5d298e7..2430712 100644 (file)
@@ -34,7 +34,6 @@ end
 
 ssl_certificate node[:git][:host] do
   domains node[:git][:host]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 593e69a..87c2c49 100644 (file)
@@ -112,7 +112,6 @@ ssl_certificate "gps-tile.openstreetmap.org" do
            "gps-a.tile.openstreetmap.org",
            "gps-b.tile.openstreetmap.org",
            "gps-c.tile.openstreetmap.org"]
-  fallback_certificate "tile.openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 8c7db20..6a985ae 100644 (file)
@@ -93,7 +93,6 @@ node[:kibana][:sites].each do |name, details|
 
   ssl_certificate details[:site] do
     domains details[:site]
-    fallback_certificate "openstreetmap"
     notifies :reload, "service[apache2]"
   end
 
index 6dca950..8fb1b90 100644 (file)
@@ -43,7 +43,6 @@ apache_module "rewrite"
 
 ssl_certificate "lists.openstreetmap.org" do
   domains "lists.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index b7954af..b098c59 100644 (file)
@@ -338,7 +338,6 @@ ssl_certificate "nominatim.openstreetmap.org" do
            "nominatim.openstreetmap.net",
            "nominatim.openstreetmaps.org",
            "nominatim.openmaps.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 482d73d..5d5b4b1 100644 (file)
@@ -51,7 +51,6 @@ node[:osqa][:sites].each do |site|
 
   ssl_certificate site_name do
     domains site_name
-    fallback_certificate "openstreetmap"
     notifies :reload, "service[apache2]"
   end
 
index 03eb43a..b6861d1 100644 (file)
@@ -141,7 +141,6 @@ end
 
 ssl_certificate site do
   domains site
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 8561491..36bb05d 100644 (file)
@@ -93,7 +93,6 @@ end
 
 ssl_certificate "piwik.openstreetmap.org" do
   domains ["piwik.openstreetmap.org", "piwik.osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 044a88b..452b542 100644 (file)
@@ -93,7 +93,6 @@ apache_module "proxy_http"
 
 ssl_certificate "planet.openstreetmap.org" do
   domains ["planet.openstreetmap.org", "planet.osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index f38283f..c027480 100644 (file)
@@ -68,7 +68,6 @@ end
 
 ssl_certificate "hardware.openstreetmap.org" do
   domains "hardware.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 5db9abb..1494dfe 100644 (file)
@@ -1,2 +1 @@
-default[:ssl][:certificates] = []
 default[:ssl][:ciphers] = "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS"
diff --git a/cookbooks/ssl/files/default/rapidssl.pem b/cookbooks/ssl/files/default/rapidssl.pem
deleted file mode 100644 (file)
index fac0344..0000000
+++ /dev/null
@@ -1,26 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIETTCCAzWgAwIBAgIDAjpxMA0GCSqGSIb3DQEBCwUAMEIxCzAJBgNVBAYTAlVT
-MRYwFAYDVQQKEw1HZW9UcnVzdCBJbmMuMRswGQYDVQQDExJHZW9UcnVzdCBHbG9i
-YWwgQ0EwHhcNMTMxMjExMjM0NTUxWhcNMjIwNTIwMjM0NTUxWjBCMQswCQYDVQQG
-EwJVUzEWMBQGA1UEChMNR2VvVHJ1c3QgSW5jLjEbMBkGA1UEAxMSUmFwaWRTU0wg
-U0hBMjU2IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAu1jBEgEu
-l9h9GKrIwuWF4hdsYC7JjTEFORoGmFbdVNcRjFlbPbFUrkshhTIWX1SG5tmx2GCJ
-a1i+ctqgAEJ2sSdZTM3jutRc2aZ/uyt11UZEvexAXFm33Vmf8Wr3BvzWLxmKlRK6
-msrVMNI4/Bk7WxU7NtBDTdFlodSLwWBBs9ZwF8w5wJwMoD23ESJOztmpetIqYpyg
-C04q18NhWoXdXBC5VD0tA/hJ8LySt7ecMcfpuKqCCwW5Mc0IW7siC/acjopVHHZD
-dvDibvDfqCl158ikh4tq8bsIyTYYZe5QQ7hdctUoOeFTPiUs2itP3YqeUFDgb5rE
-1RkmiQF1cwmbOwIDAQABo4IBSjCCAUYwHwYDVR0jBBgwFoAUwHqYaI2J+6sFZAwR
-fap9ZbjKzE4wHQYDVR0OBBYEFJfCJ1CewsnsDIgyyHyt4qYBT9pvMBIGA1UdEwEB
-/wQIMAYBAf8CAQAwDgYDVR0PAQH/BAQDAgEGMDYGA1UdHwQvMC0wK6ApoCeGJWh0
-dHA6Ly9nMS5zeW1jYi5jb20vY3Jscy9ndGdsb2JhbC5jcmwwLwYIKwYBBQUHAQEE
-IzAhMB8GCCsGAQUFBzABhhNodHRwOi8vZzIuc3ltY2IuY29tMEwGA1UdIARFMEMw
-QQYKYIZIAYb4RQEHNjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0
-LmNvbS9yZXNvdXJjZXMvY3BzMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFTeW1h
-bnRlY1BLSS0xLTU2OTANBgkqhkiG9w0BAQsFAAOCAQEANevhiyBWlLp6vXmp9uP+
-bji0MsGj21hWID59xzqxZ2nVeRQb9vrsYPJ5zQoMYIp0TKOTKqDwUX/N6fmS/Zar
-RfViPT9gRlATPSATGC6URq7VIf5Dockj/lPEvxrYrDrK3maXI67T30pNcx9vMaJR
-BBZqAOv5jUOB8FChH6bKOvMoPF9RrNcKRXdLDlJiG9g4UaCSLT+Qbsh+QJ8gRhVd
-4FB84XavXu0R0y8TubglpK9YCa81tGJUheNI3rzSkHp6pIQNo0LyUcDUrVNlXWz4
-Px8G8k/Ll6BKWcZ40egDuYVtLLrhX7atKz4lecWLVtXjCYDqwSfC2Q7sRwrp0Mr8
-2A==
------END CERTIFICATE-----
diff --git a/cookbooks/ssl/files/default/startcom.pem b/cookbooks/ssl/files/default/startcom.pem
deleted file mode 100644 (file)
index dbaeda6..0000000
+++ /dev/null
@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF2TCCA8GgAwIBAgIHHKs2Ry2cUTANBgkqhkiG9w0BAQsFADB9MQswCQYDVQQG
-EwJJTDEWMBQGA1UEChMNU3RhcnRDb20gTHRkLjErMCkGA1UECxMiU2VjdXJlIERp
-Z2l0YWwgQ2VydGlmaWNhdGUgU2lnbmluZzEpMCcGA1UEAxMgU3RhcnRDb20gQ2Vy
-dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMDcxMDE0MjA1NzA5WhcNMjIxMDE0MjA1
-NzA5WjCBjDELMAkGA1UEBhMCSUwxFjAUBgNVBAoTDVN0YXJ0Q29tIEx0ZC4xKzAp
-BgNVBAsTIlNlY3VyZSBEaWdpdGFsIENlcnRpZmljYXRlIFNpZ25pbmcxODA2BgNV
-BAMTL1N0YXJ0Q29tIENsYXNzIDIgUHJpbWFyeSBJbnRlcm1lZGlhdGUgU2VydmVy
-IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4k85L6GMmoWtCA4I
-PlfyiAEhG5SpbOK426oZGEY6UqH1D/RujOqWjJaHeRNAUS8i8gyLhw9l33F0NENV
-sTUJm9m8H/rrQtCXQHK3Q5Y9upadXVACHJuRjZzArNe7LxfXyz6CnXPrB0KSss1k
-s3RVG7RLhiEs93iHMuAW5Nq9TJXqpAp+tgoNLorPVavD5d1Bik7mb2VsskDPF125
-w2oLJxGEd2H2wnztwI14FBiZgZl1Y7foU9O6YekO+qIw80aiuckfbIBaQKwn7UhH
-M7BUxkYa8zVhwQIpkFR+ZE3EMFICgtffziFuGJHXuKuMJxe18KMBL47SLoc6PbQp
-Z4rEAwIDAQABo4IBTDCCAUgwEgYDVR0TAQH/BAgwBgEB/wIBADAOBgNVHQ8BAf8E
-BAMCAQYwHQYDVR0OBBYEFBHbI0X9VMxqcW+EigPXvvcBLyaGMB8GA1UdIwQYMBaA
-FE4L7xqkQFulF2mHMMo0aEPQQa7yMGkGCCsGAQUFBwEBBF0wWzAnBggrBgEFBQcw
-AYYbaHR0cDovL29jc3Auc3RhcnRzc2wuY29tL2NhMDAGCCsGAQUFBzAChiRodHRw
-Oi8vYWlhLnN0YXJ0c3NsLmNvbS9jZXJ0cy9jYS5jcnQwMgYDVR0fBCswKTAnoCWg
-I4YhaHR0cDovL2NybC5zdGFydHNzbC5jb20vc2ZzY2EuY3JsMEMGA1UdIAQ8MDow
-OAYEVR0gADAwMC4GCCsGAQUFBwIBFiJodHRwOi8vd3d3LnN0YXJ0c3NsLmNvbS9w
-b2xpY3kucGRmMA0GCSqGSIb3DQEBCwUAA4ICAQBSyb3zvcv566LEMsqGcvzPv6cw
-tf2R99WB4SEErQBM/+mLJ9r/8iTN/B8Pf9LR5YGSI3gW7msDLp0ASE+ugmUuh2/u
-agdfS1Zu95ZGQebd/kW5Yiqainbprb3Wc7O8MSvQLNVsa7xqOiWHqailDdeF8Wxs
-BQ70wWjLuyqBWKU+mcSf9x+EjqB60U3buAGcDYE0yoL+I2JNP22kUsBMXvJpSLHy
-36xEZGmwRinHrfDywJ1oI4qoZ3EiF77OiXp2vlRsk1yL8Bpuru2OrsIFrhNX5rnn
-cMgzuJ79SjDjmNQTa+5Ouebs387qoJ52apeq6t80RUL12k3Wh3Zt/85phnqBX9uy
-T86w4GdgOUSwRRCFZZcSed/Ul9h4IQyEmM67T2sPGdqFaZFBbBccxrn2FK7yoYB6
-4umV7yKKzP842/whVuyA/W2ihZEpA+qrA70sYESCADXnFGx2O0CDVdVc38coo1nV
-iXg+D+AG/dVXiiQcp2I4HYWTS/mTf/NE+mOYnu0miZ32/vhDbCX/B/kSPJ4RsNOA
-7uyrOwykcgOSFDbpvuaKOpGLrQwGqLODgm+p9TY5giMMjur9XH7TS1wz02dIz07u
-y2NwYWdV67vcnAt6QxRISap5RbaPviyQZxz4nFaSlTAwHoPaW1yuVS11tmsROMlR
-RNvbaAxIU4U67YaZSw==
------END CERTIFICATE-----
index 1635ed2..6dcc024 100644 (file)
 # limitations under the License.
 #
 
-keys = data_bag_item("ssl", "keys")
-certs = data_bag_item("ssl", "certs")
-
 package "openssl"
 package "ssl-cert"
 
-%w(letsencrypt rapidssl startcom dhparam).each do |certificate|
+%w(letsencrypt dhparam).each do |certificate|
   cookbook_file "/etc/ssl/certs/#{certificate}.pem" do
     owner "root"
     group "root"
@@ -32,30 +29,12 @@ package "ssl-cert"
   end
 end
 
-["openstreetmap", "tile.openstreetmap", "osmfoundation"].each do |certificate|
-  if node[:ssl][:certificates].include?(certificate)
-    file "/etc/ssl/certs/#{certificate}.pem" do
-      owner "root"
-      group "root"
-      mode 0o444
-      content certs[certificate].join("\n")
-      backup false
-    end
-
-    file "/etc/ssl/private/#{certificate}.key" do
-      owner "root"
-      group "ssl-cert"
-      mode 0o440
-      content keys[certificate].join("\n")
-      backup false
-    end
-  else
-    file "/etc/ssl/certs/#{certificate}.pem" do
-      action :delete
-    end
+["openstreetmap", "tile.openstreetmap", "osmfoundation", "rapidssl", "startcom"].each do |certificate|
+  file "/etc/ssl/certs/#{certificate}.pem" do
+    action :delete
+  end
 
-    file "/etc/ssl/private/#{certificate}.key" do
-      action :delete
-    end
+  file "/etc/ssl/private/#{certificate}.key" do
+    action :delete
   end
 end
index fc94d39..c133491 100644 (file)
@@ -21,7 +21,6 @@ default_action :create
 
 property :name, String
 property :domains, [String, Array], :required => true
-property :fallback_certificate, String
 
 action :create do
   node.default[:letsencrypt][:certificates][name] = {
@@ -53,14 +52,6 @@ action :create do
       manage_symlink_source false
       force_unlink true
     end
-  elsif fallback_certificate
-    link "/etc/ssl/certs/#{name}.pem" do
-      to "#{fallback_certificate}.pem"
-    end
-
-    link "/etc/ssl/private/#{name}.key" do
-      to "#{fallback_certificate}.key"
-    end
   else
     template "/tmp/#{name}.ssl.cnf" do
       cookbook "ssl"
index 3f0303d..2c92fb2 100644 (file)
@@ -75,7 +75,6 @@ end
 
 ssl_certificate "stats.openstreetmap.org" do
   domains ["stats.openstreetmap.org", "stats.osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 8419bbc..51a6de5 100644 (file)
@@ -53,7 +53,6 @@ end
 
 ssl_certificate site_name do
   domains site_name
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 35166f1..3b0983a 100644 (file)
@@ -236,7 +236,6 @@ node[:taginfo][:sites].each do |site|
 
   ssl_certificate site_name do
     domains site_name
-    fallback_certificate "openstreetmap"
     notifies :reload, "service[apache2]"
   end
 
index c275edb..41a4e7f 100644 (file)
@@ -116,7 +116,6 @@ ssl_certificate "tile.openstreetmap.org" do
            "a.tile.openstreetmap.org",
            "b.tile.openstreetmap.org",
            "c.tile.openstreetmap.org"]
-  fallback_certificate "tile.openstreetmap"
   notifies :restart, "service[nginx]"
 end
 
index 551f28e..fab0564 100644 (file)
@@ -73,7 +73,6 @@ apache_module "wsgi"
 
 ssl_certificate "trac.openstreetmap.org" do
   domains "trac.openstreetmap.org"
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end
 
index 4095be1..77017b7 100644 (file)
@@ -32,7 +32,6 @@ ssl_certificate "www.openstreetmap.org" do
   domains ["www.openstreetmap.org", "www.osm.org",
            "api.openstreetmap.org", "api.osm.org",
            "openstreetmap.org", "osm.org"]
-  fallback_certificate "openstreetmap"
   notifies :reload, "service[apache2]"
 end