Use a letsencrypt certificate for the main mail server
authorTom Hughes <tom@compton.nu>
Fri, 5 Oct 2018 18:10:10 +0000 (19:10 +0100)
committerTom Hughes <tom@compton.nu>
Fri, 5 Oct 2018 18:10:10 +0000 (19:10 +0100)
cookbooks/exim/metadata.rb
cookbooks/exim/recipes/default.rb
cookbooks/exim/templates/default/apache.erb [new file with mode: 0644]
cookbooks/exim/templates/default/exim4.conf.erb
roles/mail.rb

index 19ab6af9d4a0304b9fa13317d9ec232bc60af5e9..e095f164ead602d95cecb7daa0fcb46ca66dcc6a 100644 (file)
@@ -8,3 +8,4 @@ version           "1.0.0"
 supports          "ubuntu"
 depends           "networking"
 depends           "ssl"
+depends           "apache"
index 6b20f5181592f7c7213069fd129b086ca61f85bc..c46606dbf84dc321f0ba0a894b96c1a54fe4d9af 100644 (file)
@@ -33,21 +33,35 @@ group "ssl-cert" do
   append true
 end
 
-openssl_x509_certificate "/etc/ssl/certs/exim.pem" do
-  key_file "/etc/ssl/private/exim.key"
-  owner "root"
-  group "ssl-cert"
-  mode 0o640
-  org "OpenStreetMap"
-  email "postmaster@openstreetmap.org"
-  common_name node[:fqdn]
-  expire 3650
+if node[:exim][:certificate_names]
+  include_recipe "apache"
+
+  apache_site node[:exim][:certificate_names].first do
+    template "apache.erb"
+    variables :aliases => node[:exim][:certificate_names].drop(1)
+  end
+
+  ssl_certificate node[:exim][:certificate_names].first do
+    domains node[:exim][:certificate_names]
+    notifies :restart, "service[exim4]"
+  end
+else
+  openssl_x509_certificate "/etc/ssl/certs/exim.pem" do
+    key_file "/etc/ssl/private/exim.key"
+    owner "root"
+    group "ssl-cert"
+    mode 0o640
+    org "OpenStreetMap"
+    email "postmaster@openstreetmap.org"
+    common_name node[:fqdn]
+    expire 3650
+    notifies :restart, "service[exim4]"
+  end
 end
 
 service "exim4" do
   action [:enable, :start]
   supports :status => true, :restart => true, :reload => true
-  subscribes :restart, "execute[/etc/ssl/certs/exim.pem]"
 end
 
 relay_to_domains = node[:exim][:relay_to_domains]
diff --git a/cookbooks/exim/templates/default/apache.erb b/cookbooks/exim/templates/default/apache.erb
new file mode 100644 (file)
index 0000000..f7a5c8a
--- /dev/null
@@ -0,0 +1,46 @@
+# DO NOT EDIT - This file is being maintained by Chef
+
+<VirtualHost *:80>
+  ServerName <%= @name %>
+<% @aliases.each do |alias_name| -%>
+  ServerAlias <%= alias_name %>
+<% end -%>
+  ServerAdmin webmaster@openstreetmap.org
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
+<% unless @aliases.empty? -%>
+
+<VirtualHost *:443>
+  ServerName <%= @aliases.first %>
+<% @aliases.drop(1).each do |alias_name| -%>
+  ServerAlias <%= alias_name %>
+<% end -%>
+  ServerAdmin webmaster@openstreetmap.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+
+  RedirectPermanent / https://<%= @name %>/
+</VirtualHost>
+<% end -%>
+
+<VirtualHost *:443>
+  ServerName <%= @name %>
+  ServerAdmin webmaster@openstreetmap.org
+
+  SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+  SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
+
+  CustomLog /var/log/apache2/<%= @name %>-access.log combined
+  ErrorLog /var/log/apache2/<%= @name %>-error.log
+</VirtualHost>
index f541cec1765d60be1fbc7fc137ca6c927762dd8b..18544c091746dbd64a3153e3385f0b1c2ee1a49a 100644 (file)
@@ -156,8 +156,13 @@ tls_require_ciphers = <%= node[:ssl][:gnutls_ciphers] %>:%SERVER_PRECEDENCE
 # need the first setting, or in separate files, in which case you need both
 # options.
 
+<% if node[:exim][:certificate_names] -%>
+tls_certificate = /etc/ssl/certs/<%= node[:exim][:certificate_names].first %>.pem
+tls_privatekey = /etc/ssl/private/<%= node[:exim][:certificate_names].first %>.key
+<% else -%>
 tls_certificate = /etc/ssl/certs/exim.pem
 tls_privatekey = /etc/ssl/private/exim.key
+<% end -%>
 
 # In order to support roaming users who wish to send email from anywhere,
 # you may want to make Exim listen on other ports as well as port 25, in
index 6556b08ca30aea2606bcd0581c550d1de5fe103a..e2ec91dedbb8f1f7c74ca27bea77753c65b3518a 100644 (file)
@@ -16,6 +16,10 @@ default_attributes(
       "osm.io"
     ],
     :daemon_smtp_ports => [25, 26],
+    :certificate_names => [
+      "mail.openstreetmap.org",
+      "a.mx.openstreetmap.org"
+    ],
     :smarthost_name => "mail.openstreetmap.org",
     :smarthost_via => false,
     :dns_blacklists => ["zen.spamhaus.org"],