From 1ad79f5beef3408caa34cf502be456dc66159667 Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sat, 18 Feb 2017 11:36:39 +0000
Subject: [PATCH] Switch main web site to letsencrypt

---
 cookbooks/web/recipes/rails.rb                      |  8 ++++++++
 cookbooks/web/templates/default/apache.backend.erb  |  2 ++
 cookbooks/web/templates/default/apache.frontend.erb | 11 ++++++++++-
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/cookbooks/web/recipes/rails.rb b/cookbooks/web/recipes/rails.rb
index 90efbb421..4095be1bc 100644
--- a/cookbooks/web/recipes/rails.rb
+++ b/cookbooks/web/recipes/rails.rb
@@ -28,6 +28,14 @@ include_recipe "nodejs"
 web_passwords = data_bag_item("web", "passwords")
 db_passwords = data_bag_item("db", "passwords")
 
+ssl_certificate "www.openstreetmap.org" do
+  domains ["www.openstreetmap.org", "www.osm.org",
+           "api.openstreetmap.org", "api.osm.org",
+           "openstreetmap.org", "osm.org"]
+  fallback_certificate "openstreetmap"
+  notifies :reload, "service[apache2]"
+end
+
 nodejs_package "svgo"
 
 template "/etc/cron.hourly/passenger" do
diff --git a/cookbooks/web/templates/default/apache.backend.erb b/cookbooks/web/templates/default/apache.backend.erb
index 5ec7c78c6..5392f4c1b 100644
--- a/cookbooks/web/templates/default/apache.backend.erb
+++ b/cookbooks/web/templates/default/apache.backend.erb
@@ -14,6 +14,8 @@
   # Enable SSL
   #
   SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 <% end -%>
 
   #
diff --git a/cookbooks/web/templates/default/apache.frontend.erb b/cookbooks/web/templates/default/apache.frontend.erb
index ceaf4874b..165b4adfc 100644
--- a/cookbooks/web/templates/default/apache.frontend.erb
+++ b/cookbooks/web/templates/default/apache.frontend.erb
@@ -15,6 +15,8 @@
   #
   SSLEngine on
   SSLProxyEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 <% end -%>
 
   #
@@ -56,7 +58,7 @@
   # Block changeset scraper
   #
   RewriteCond %{HTTP_USER_AGENT} "OSMApp Tuner"
-  RewriteRule . - [F,L]  
+  RewriteRule . - [F,L]
 
   #
   # Block requests for the old 404 map tile
@@ -199,6 +201,11 @@
   ProxyPass /api/0.6/relations balancer://backend/api/0.6/relations
   ProxyPassMatch ^(/trace/[0-9]+/data(|/|.xml))$ balancer://backend$1
 
+  #
+  # Redirect ACME certificate challenges
+  #
+  RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
+
   #
   # Redirect trac and wiki requests to the right places
   #
@@ -303,6 +310,8 @@
   ServerAlias *
 
   SSLEngine on
+  SSLCertificateFile /etc/ssl/certs/www.openstreetmap.org.pem
+  SSLCertificateKeyFile /etc/ssl/private/www.openstreetmap.org.key
 
   RedirectPermanent / https://www.openstreetmap.org/
 </VirtualHost>
-- 
2.43.2