From: Tom Hughes <tom@compton.nu>
Date: Wed, 15 Feb 2017 22:31:34 +0000 (+0000)
Subject: Switch nominatim.osm.org to letsencrypt
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/242e569f6b67381cf7ec98dc6e034dc5b5007476

Switch nominatim.osm.org to letsencrypt
---

diff --git a/cookbooks/nominatim/recipes/default.rb b/cookbooks/nominatim/recipes/default.rb
index 63734cdb8..b7954af92 100644
--- a/cookbooks/nominatim/recipes/default.rb
+++ b/cookbooks/nominatim/recipes/default.rb
@@ -331,6 +331,17 @@ node[:nominatim][:fpm_pools].each do |name, data|
   end
 end
 
+ssl_certificate "nominatim.openstreetmap.org" do
+  domains ["nominatim.openstreetmap.org",
+           "nominatim.osm.org",
+           "nominatim.openstreetmap.com",
+           "nominatim.openstreetmap.net",
+           "nominatim.openstreetmaps.org",
+           "nominatim.openmaps.org"]
+  fallback_certificate "openstreetmap"
+  notifies :reload, "service[apache2]"
+end
+
 apache_site "nominatim.openstreetmap.org" do
   template "apache.erb"
   directory build_directory
diff --git a/cookbooks/nominatim/templates/default/apache.erb b/cookbooks/nominatim/templates/default/apache.erb
index 1afe817e5..b79e76dbe 100644
--- a/cookbooks/nominatim/templates/default/apache.erb
+++ b/cookbooks/nominatim/templates/default/apache.erb
@@ -5,18 +5,21 @@
     ServerName <%= node[:fqdn] %>
     ServerAlias nominatim.openstreetmap.org
     ServerAlias nominatim.osm.org
-    ServerAlias nominatim.openstreetmap.org
+    ServerAlias nominatim.openstreetmap.com
     ServerAlias nominatim.openstreetmap.net
     ServerAlias nominatim.openstreetmaps.org
     ServerAlias nominatim.openmaps.org
     ServerAdmin webmaster@openstreetmap.org
 
 <% if port == 443 -%>
-    #
     # Enable SSL
-    #
     SSLEngine on
     SSLProxyEngine on
+    SSLCertificateFile /etc/ssl/certs/nominatim.openstreetmap.org.pem
+    SSLCertificateKeyFile /etc/ssl/private/nominatim.openstreetmap.org.key
+<% else -%>
+    # Redirect ACME challenges for certificate issuance
+    RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
 <% end -%>
 
     # Remove Proxy request header to mitigate https://httpoxy.org/