From: Tom Hughes <tom@compton.nu>
Date: Sun, 12 Feb 2017 14:41:42 +0000 (+0000)
Subject: Drop all use of SSLCertificateChainFile in apache configs
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/b0e794ecd4ca2669d1f34c563ed2cfcc8b37a06c

Drop all use of SSLCertificateChainFile in apache configs
---

diff --git a/cookbooks/apache/attributes/default.rb b/cookbooks/apache/attributes/default.rb
index ee69042c7..46feacd34 100644
--- a/cookbooks/apache/attributes/default.rb
+++ b/cookbooks/apache/attributes/default.rb
@@ -29,6 +29,5 @@ default[:apache][:event][:max_connections_per_child] = 0
 default[:apache][:listen_address] = "*"
 
 default[:apache][:ssl][:certificate] = "openstreetmap"
-default[:apache][:ssl][:certificate_chain] = "rapidssl"
 
 default[:apache][:buffered_logs] = true
diff --git a/cookbooks/apache/recipes/ssl.rb b/cookbooks/apache/recipes/ssl.rb
index 3e3941099..b9b2ca305 100644
--- a/cookbooks/apache/recipes/ssl.rb
+++ b/cookbooks/apache/recipes/ssl.rb
@@ -18,7 +18,6 @@
 #
 
 certificate = node[:apache][:ssl][:certificate]
-certificate_chain = node[:apache][:ssl][:certificate_chain]
 
 node.default[:ssl][:certificates] = node[:ssl][:certificates] | [certificate]
 
@@ -29,12 +28,11 @@ apache_module "ssl"
 
 apache_conf "ssl" do
   template "ssl.erb"
-  variables :certificate => certificate, :certificate_chain => certificate_chain
+  variables :certificate => certificate
   notifies :reload, "service[apache2]"
 end
 
 apache = resources("service[apache2]")
 
-apache.subscribes(:restart, "cookbook_file[/etc/ssl/certs/#{certificate_chain}.pem]")
 apache.subscribes(:restart, "file[/etc/ssl/certs/#{certificate}.pem]")
 apache.subscribes(:restart, "file[/etc/ssl/private/#{certificate}.key]")
diff --git a/cookbooks/apache/templates/default/ssl.erb b/cookbooks/apache/templates/default/ssl.erb
index 63f0e21b0..e117eeaed 100644
--- a/cookbooks/apache/templates/default/ssl.erb
+++ b/cookbooks/apache/templates/default/ssl.erb
@@ -7,7 +7,6 @@ SSLCipherSuite <%= node[:ssl][:ciphers] -%>
 
 SSLCertificateFile /etc/ssl/certs/<%= @certificate %>.pem
 SSLCertificateKeyFile /etc/ssl/private/<%= @certificate %>.key
-SSLCertificateChainFile /etc/ssl/certs/<%= @certificate_chain %>.pem
 
 SSLUseStapling On
 SSLStaplingResponderTimeout 5
diff --git a/roles/ridley.rb b/roles/ridley.rb
index 7250ce893..13ba3dafd 100644
--- a/roles/ridley.rb
+++ b/roles/ridley.rb
@@ -7,8 +7,7 @@ default_attributes(
   },
   :apache => {
     :ssl => {
-      :certificate => "osmfoundation",
-      :certificate_chain => "startcom"
+      :certificate => "osmfoundation"
     }
   },
   :dhcpd => {