From: Tom Hughes <tom@compton.nu>
Date: Sun, 12 Feb 2017 10:20:55 +0000 (+0000)
Subject: Switch gps-tile to letsencrypt
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/591c252f356e4f6d2f4e9ac08a199782ae05bc7c?ds=sidebyside

Switch gps-tile to letsencrypt
---

diff --git a/cookbooks/gps-tile/recipes/default.rb b/cookbooks/gps-tile/recipes/default.rb
index c3bcfba98..593e69ad1 100644
--- a/cookbooks/gps-tile/recipes/default.rb
+++ b/cookbooks/gps-tile/recipes/default.rb
@@ -103,6 +103,19 @@ end
 
 apache_module "headers"
 
+ssl_certificate "gps-tile.openstreetmap.org" do
+  domains ["gps-tile.openstreetmap.org",
+           "a.gps-tile.openstreetmap.org",
+           "b.gps-tile.openstreetmap.org",
+           "c.gps-tile.openstreetmap.org",
+           "gps.tile.openstreetmap.org",
+           "gps-a.tile.openstreetmap.org",
+           "gps-b.tile.openstreetmap.org",
+           "gps-c.tile.openstreetmap.org"]
+  fallback_certificate "tile.openstreetmap"
+  notifies :reload, "service[apache2]"
+end
+
 apache_site "gps-tile.openstreetmap.org" do
   template "apache.erb"
 end
diff --git a/cookbooks/gps-tile/templates/default/apache.erb b/cookbooks/gps-tile/templates/default/apache.erb
index 73564f543..7dbd24b41 100644
--- a/cookbooks/gps-tile/templates/default/apache.erb
+++ b/cookbooks/gps-tile/templates/default/apache.erb
@@ -3,16 +3,17 @@
 <% [80, 443].each do |port| -%>
 <VirtualHost *:<%= port %>>
   # Basic server configuration
-  ServerName <%= node[:fqdn] %>
+  ServerName gps-tile.openstreetmap.org
+  ServerAlias *.gps-tile.openstreetmap.org
   ServerAlias gps.tile.openstreetmap.org
   ServerAlias gps-*.tile.openstreetmap.org
-  ServerAlias gps-tile.openstreetmap.org
-  ServerAlias *.gps-tile.openstreetmap.org
   ServerAdmin webmaster@openstreetmap.org
 <% if port == 443 -%>
 
   # Enable SSL
   SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/gps-tile.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/gps-tile.openstreetmap.org.key
 <% end -%>
 
   # Configure location of static files
@@ -21,6 +22,9 @@
   # Configure the CGI script that serves the tiles
   ScriptAlias /lines /srv/gps-tile.openstreetmap.org/updater/tile
 
+  # Redirect for ACMI challenge validation
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
   # Temporary redirect for old CGI location
   RedirectPermanent /gps-lines/tile /lines