From: Tom Hughes Date: Sat, 11 Feb 2017 20:33:34 +0000 (+0000) Subject: Switch donate.osm.org to letsencrypt X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/42bcc22d183308b136571a77af3f80dd3fd72f06 Switch donate.osm.org to letsencrypt --- diff --git a/cookbooks/donate/recipes/default.rb b/cookbooks/donate/recipes/default.rb index b354a335a..1c0a436f0 100644 --- a/cookbooks/donate/recipes/default.rb +++ b/cookbooks/donate/recipes/default.rb @@ -82,6 +82,12 @@ template "/srv/donate.openstreetmap.org/scripts/db-connect.inc.php" do variables :passwords => passwords end +ssl_certificate "donate.openstreetmap.org" do + domains ["donate.openstreetmap.org", "donate.openstreetmap.com", + "donate.openstreetmap.net", "donate.osm.org"] + notifies :reload, "service[apache2]" +end + apache_site "donate.openstreetmap.org" do template "apache.erb" end diff --git a/cookbooks/donate/templates/default/apache.erb b/cookbooks/donate/templates/default/apache.erb index 20f00e10c..9404ad13a 100644 --- a/cookbooks/donate/templates/default/apache.erb +++ b/cookbooks/donate/templates/default/apache.erb @@ -3,40 +3,29 @@ <% [80, 443].each do |port| -%> > - ServerName donate.openstreetmap.org + ServerName donate.openstreetmap.org ServerAlias donate.openstreetmap.com ServerAlias donate.openstreetmap.net - ServerAlias donate.osm.org - ServerAlias donate.osm.org.za - ServerAlias donate.openstreetmap.org.za - ServerAlias donate.openstreetmap.org.uk - ServerAlias donate.openstreetmap.co.uk + ServerAlias donate.osm.org - ServerAdmin webmaster@openstreetmap.org + ServerAdmin webmaster@openstreetmap.org <% if port == 80 -%> - # Redirect to secure site - Redirect permanent / https://donate.openstreetmap.org/ + RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/ + RedirectPermanent / https://donate.openstreetmap.org/ <% end -%> <% if port == 443 -%> - # - # Enable SSL - # - SSLEngine on - SSLCertificateFile /etc/ssl/certs/openstreetmap.pem - SSLCertificateKeyFile /etc/ssl/private/openstreetmap.key - SSLCertificateChainFile /etc/ssl/certs/rapidssl.pem - - # HSTS (mod_headers is required) - Header always set Strict-Transport-Security "max-age=300" + SSLEngine on + SSLCertificateFile /etc/ssl/certs/donate.openstreetmap.org.pem + SSLCertificateKeyFile /etc/ssl/private/donate.openstreetmap.org.key <% end -%> - CustomLog /var/log/apache2/donate.openstreetmap.org-access.log combined - ErrorLog /var/log/apache2/donate.openstreetmap.org-error.log + CustomLog /var/log/apache2/donate.openstreetmap.org-access.log combined + ErrorLog /var/log/apache2/donate.openstreetmap.org-error.log - Options -Indexes + Options -Indexes - DocumentRoot /srv/donate.openstreetmap.org + DocumentRoot /srv/donate.openstreetmap.org php_admin_value open_basedir /srv/donate.openstreetmap.org/:/usr/share/php/:/tmp/ php_admin_value disable_functions "exec,shell_exec,system,passthru,popen,proc_open"