From 7a0adccf14d7904d35c06822ae0c4ffffbeb740a Mon Sep 17 00:00:00 2001
From: Tom Hughes <tom@compton.nu>
Date: Sun, 12 Feb 2017 10:38:12 +0000
Subject: [PATCH] Switch help.osm.org to letsencrypt

---
 cookbooks/osqa/recipes/default.rb           | 14 ++++++++++----
 cookbooks/osqa/templates/default/apache.erb |  3 +++
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/cookbooks/osqa/recipes/default.rb b/cookbooks/osqa/recipes/default.rb
index 50ee08a3d..482d73d88 100644
--- a/cookbooks/osqa/recipes/default.rb
+++ b/cookbooks/osqa/recipes/default.rb
@@ -38,8 +38,8 @@ apache_module "rewrite"
 apache_module "wsgi"
 
 node[:osqa][:sites].each do |site|
-  name = site[:name]
-  directory = site[:directory] || "/srv/#{name}"
+  site_name = site[:name]
+  directory = site[:directory] || "/srv/#{site_name}"
   site_user = site[:user] || node[:osqa][:user]
   site_user = Etc.getpwuid(site_user).name if site_user.is_a?(Integer)
   site_group = site[:group] || node[:osqa][:group] || Etc.getpwnam(site_user).gid
@@ -49,7 +49,13 @@ node[:osqa][:sites].each do |site|
   database_password = site[:database_user] || node[:osqa][:database_password]
   backup_name = site[:backup]
 
-  apache_site name do
+  ssl_certificate site_name do
+    domains site_name
+    fallback_certificate "openstreetmap"
+    notifies :reload, "service[apache2]"
+  end
+
+  apache_site site_name do
     template "apache.erb"
     directory directory
     variables :user => site_user, :group => site_group
@@ -101,7 +107,7 @@ node[:osqa][:sites].each do |site|
     line.gsub!(/^( *)'PASSWORD': '.*',/, "\\1'PASSWORD': '#{database_password}',")
     line.gsub!(/^ALLOWED_HOSTS = .*/, "ALLOWED_HOSTS = ('help.openstreetmap.org',)")
     line.gsub!(/^CACHE_BACKEND = .*/, "CACHE_BACKEND = 'memcached://127.0.0.1:11211/'")
-    line.gsub!(%r{^APP_URL = 'http://'}, "APP_URL = 'http://#{name}'")
+    line.gsub!(%r{^APP_URL = 'http://'}, "APP_URL = 'https://#{site_name}'")
     line.gsub!(%r{^TIME_ZONE = 'America/New_York'}, "TIME_ZONE = 'Europe/London'")
     line.gsub!(/^DISABLED_MODULES = \[([^\]]+)\]/, "DISABLED_MODULES = [\\1, 'localauth', 'facebookauth', 'oauthauth']")
 
diff --git a/cookbooks/osqa/templates/default/apache.erb b/cookbooks/osqa/templates/default/apache.erb
index 665cdd7ef..71ae69b7b 100644
--- a/cookbooks/osqa/templates/default/apache.erb
+++ b/cookbooks/osqa/templates/default/apache.erb
@@ -9,6 +9,7 @@ WSGIDaemonProcess <%= @name %> user=<%= @user %> group=<%= @group %> processes=4
         CustomLog /var/log/apache2/<%= @name %>-access.log combined
         ErrorLog /var/log/apache2/<%= @name %>-error.log
 
+        RedirectPermanent /.well-known/acme-challenge/ http://acme.openstreetmap.org/.well-known/acme-challenge/
         RedirectPermanent / https://<%= @name %>/
 </VirtualHost>
 
@@ -17,6 +18,8 @@ WSGIDaemonProcess <%= @name %> user=<%= @user %> group=<%= @group %> processes=4
         ServerAdmin webmaster@openstreetmap.org
 
         SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/<%= @name %>.pem
+        SSLCertificateKeyFile /etc/ssl/private/<%= @name %>.key
 
         CustomLog /var/log/apache2/<%= @name %>-access.log combined
         ErrorLog /var/log/apache2/<%= @name %>-error.log
-- 
2.45.1