From: Tom Hughes Date: Thu, 17 Oct 2013 17:17:29 +0000 (+0100) Subject: Install the tile.openstreetmap.org certificate on tile servers X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/8eb231729d6b7e7911668f512b270dadd6223bba Install the tile.openstreetmap.org certificate on tile servers --- diff --git a/cookbooks/ssl/attributes/default.rb b/cookbooks/ssl/attributes/default.rb new file mode 100644 index 000000000..c9f1dcd66 --- /dev/null +++ b/cookbooks/ssl/attributes/default.rb @@ -0,0 +1 @@ +default[:ssl][:certificate] = "openstreetmap" diff --git a/cookbooks/ssl/files/default/tile.openstreetmap.pem b/cookbooks/ssl/files/default/tile.openstreetmap.pem new file mode 100644 index 000000000..730bb5cb3 --- /dev/null +++ b/cookbooks/ssl/files/default/tile.openstreetmap.pem @@ -0,0 +1,30 @@ +-----BEGIN CERTIFICATE----- +MIIFNjCCBB6gAwIBAgIDDpOwMA0GCSqGSIb3DQEBBQUAMDwxCzAJBgNVBAYTAlVT +MRcwFQYDVQQKEw5HZW9UcnVzdCwgSW5jLjEUMBIGA1UEAxMLUmFwaWRTU0wgQ0Ew +HhcNMTMxMDE2MTIxMjQxWhcNMTcxMDE4MDc0OTI3WjCBxzEpMCcGA1UEBRMgR1g3 +Z1NuNS9OSnNiYUdrWlpLNHZ1U3dlTGNRZXZXTXMxEzARBgNVBAsTCkdUMTA5NTY2 +OTcxMTAvBgNVBAsTKFNlZSB3d3cucmFwaWRzc2wuY29tL3Jlc291cmNlcy9jcHMg +KGMpMTMxLzAtBgNVBAsTJkRvbWFpbiBDb250cm9sIFZhbGlkYXRlZCAtIFJhcGlk +U1NMKFIpMSEwHwYDVQQDDBgqLnRpbGUub3BlbnN0cmVldG1hcC5vcmcwggEiMA0G +CSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsfSa4q/TOq5/FVGKxoNaY4T7dXIRS +jAH+dnm3zlStyD/o9N8kuf1cRYF/qGbezTKNTjnPljkjKrIZox6d0M3l3xJbzXcJ +MwNARmEYi8bHbkhU3G770pLSZh1kfhURUrBUVcAJcMD14nBB+DJHcH49Rnh3gu3L +PR5c9xfSziwRvyaYlpwPOa1xFOBGFWqCY59upPo1umF4lVsPrT2SAyHN0QpSClRx +cwUNE0mpA3M9Dv3omf0A6VLsvEKx6lTI7xIyT25OebnXu/i9YLHGu11T5N63MDd1 +t56coaPIsK8zCZ1qg/sjLr7xtNydn0BqCK287GuCYg7AtbYVMYpAGM7ZAgMBAAGj +ggGzMIIBrzAfBgNVHSMEGDAWgBRraT1qGEJK3Y8CZTn9NSSGeJEWMDAOBgNVHQ8B +Af8EBAMCBaAwHQYDVR0lBBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMCMGA1UdEQQc +MBqCGCoudGlsZS5vcGVuc3RyZWV0bWFwLm9yZzBDBgNVHR8EPDA6MDigNqA0hjJo +dHRwOi8vcmFwaWRzc2wtY3JsLmdlb3RydXN0LmNvbS9jcmxzL3JhcGlkc3NsLmNy +bDAdBgNVHQ4EFgQUbVPVOmq6XIVViPfD9h6ZqBKDtLIwDAYDVR0TAQH/BAIwADB4 +BggrBgEFBQcBAQRsMGowLQYIKwYBBQUHMAGGIWh0dHA6Ly9yYXBpZHNzbC1vY3Nw +Lmdlb3RydXN0LmNvbTA5BggrBgEFBQcwAoYtaHR0cDovL3JhcGlkc3NsLWFpYS5n +ZW90cnVzdC5jb20vcmFwaWRzc2wuY3J0MEwGA1UdIARFMEMwQQYKYIZIAYb4RQEH +NjAzMDEGCCsGAQUFBwIBFiVodHRwOi8vd3d3Lmdlb3RydXN0LmNvbS9yZXNvdXJj +ZXMvY3BzMA0GCSqGSIb3DQEBBQUAA4IBAQARlqO2Vy6UjSTYbz8TQYXhbY5f7rZC +hiuEx+isn3FWImnOFTSUf7aqX2HB0ZCuTrKSXy8/uxjl0Z4hZ5oDHH2Liaox10J4 +JAfUZMhPk67Tm+ammY2O5o8nubqy6EdgycU3+iayswIyxSABL29W4nhusJqhw6I9 +Zcxd1FErz+Al0qfuEBDxcuUaywhTolka8YFtflBoGTMPWwh8NHxc9zZhJ1JcLve2 +uY0c2wS2CJWGAsTFN6i0Xxy/jsuP23uXTmHSk7fKcV0UkdjiQB6+WP6OoFwWISM6 +YiuxK+wu50s8Cb2OJ12aBmojbEH/QBKJXIVBsbtumUA+3LEcUnor3nz7 +-----END CERTIFICATE----- diff --git a/cookbooks/ssl/recipes/default.rb b/cookbooks/ssl/recipes/default.rb index 4bbcea471..a3a2708c4 100644 --- a/cookbooks/ssl/recipes/default.rb +++ b/cookbooks/ssl/recipes/default.rb @@ -29,17 +29,17 @@ cookbook_file "/etc/ssl/certs/rapidssl.pem" do backup false end -cookbook_file "/etc/ssl/certs/openstreetmap.pem" do +cookbook_file "/etc/ssl/certs/#{node[:ssl][:certificate]}.pem" do owner "root" group "root" mode 0444 backup false end -file "/etc/ssl/private/openstreetmap.key" do +file "/etc/ssl/private/#{node[:ssl][:certificate]}.key" do owner "root" group "ssl-cert" mode 0440 - content keys["openstreetmap"].join("\n") + content keys[node[:ssl][:certificate]].join("\n") backup false end diff --git a/roles/tilecache.rb b/roles/tilecache.rb index daaaddf2c..3f3f3f08d 100644 --- a/roles/tilecache.rb +++ b/roles/tilecache.rb @@ -2,6 +2,9 @@ name "tilecache" description "Role applied to all tile cache servers" default_attributes( + :ssl => { + :certificate => "tile.openstreetmap" + }, :sysctl => { :network_conntrack_time_wait => { :comment => "Only track completed connections for 30 seconds", @@ -20,5 +23,6 @@ default_attributes( run_list( "role[geodns]", + "recipe[ssl]", "recipe[tilecache]" )