From: Tom Hughes <tom@compton.nu>
Date: Mon, 13 Feb 2017 15:38:53 +0000 (+0000)
Subject: Switch logstash.osm.org to letsencrypt
X-Git-Url: https://git.openstreetmap.org/chef.git/commitdiff_plain/e4e612e66a9f8af22e80da81814f08a66c2555fd

Switch logstash.osm.org to letsencrypt
---

diff --git a/cookbooks/kibana/recipes/default.rb b/cookbooks/kibana/recipes/default.rb
index 160d3233c..8c7db202f 100644
--- a/cookbooks/kibana/recipes/default.rb
+++ b/cookbooks/kibana/recipes/default.rb
@@ -91,6 +91,12 @@ node[:kibana][:sites].each do |name, details|
     supports :status => true, :restart => true, :reload => false
   end
 
+  ssl_certificate details[:site] do
+    domains details[:site]
+    fallback_certificate "openstreetmap"
+    notifies :reload, "service[apache2]"
+  end
+
   apache_site details[:site] do
     template "apache.erb"
     variables details.merge(:passwd => "/etc/kibana/#{name}.passwd")
diff --git a/cookbooks/kibana/templates/default/apache.erb b/cookbooks/kibana/templates/default/apache.erb
index b9f50de53..0691d8a31 100644
--- a/cookbooks/kibana/templates/default/apache.erb
+++ b/cookbooks/kibana/templates/default/apache.erb
@@ -7,6 +7,7 @@
    CustomLog /var/log/apache2/<%= @site %>-access.log combined
    ErrorLog /var/log/apache2/<%= @site %>-error.log
 
+   RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
    Redirect permanent / https://<%= @site %>/
 </VirtualHost>
 
@@ -19,6 +20,8 @@
 
    SSLEngine on
    SSLProxyEngine on
+   SSLCertificateFile /etc/ssl/certs/<%= @site %>.pem
+   SSLCertificateKeyFile /etc/ssl/private/<%= @site %>.key
 
    ProxyPass / http://127.0.0.1:<%= @port %>/