Use ssl_certificate cookbook for the HTTPS certificate

zuazo · Sep 16, 2015 · f08b336 · f08b336
1 parent 2d42783
commit f08b336
Show file tree

Hide file tree

Showing 10 changed files with 62 additions and 253 deletions.
diff --git a/README.md b/README.md
@@ -27,6 +27,7 @@ Requirements
 * php-fpm
 * postfix
 * postgresql
+* ssl_certificate
 
 ## Required Applications
 
@@ -442,9 +443,9 @@ run_list(
 )
 ```
 
-## Custom SSL Certificate
+## The HTTPS Certificate
 
-OwnCloud will accept SSL requests when `node['owncloud']['ssl']` is set to `true`. By default the cookbook will create a self-signed certificate, but a custom one can also be used.
+OwnCloud will accept HTTPS requests when `node['owncloud']['ssl']` is set to `true`. By default the cookbook will create a self-signed certificate, but a custom one can also be used.
 
 The custom certificate can be read from several sources:
 
@@ -454,7 +455,16 @@ The custom certificate can be read from several sources:
 * Chef Vault
 * File
 
-### Custom SSL certificate from an Attribute
+This cookbook uses the [`ssl_certificate`](https://supermarket.chef.io/cookbooks/ssl_certificate) cookbook to create the HTTPS certificate. The namespace used is `node['owncloud']`. For example:
+
+```ruby
+node.default['owncloud']['common_name'] = 'owncloud.example.com'
+include_recipe 'owncloud'
+```
+
+See the [`ssl_certificate` namespace documentation](https://supermarket.chef.io/cookbooks/ssl_certificate#namespaces) for more information.
+
+### Custom HTTPS certificate from an Attribute
 
 ```ruby
 name "owncloud_ssl_attribute"
@@ -478,7 +488,7 @@ run_list(
 )
 ```
 
-### Custom SSL certificate from a Data Bag
+### Custom HTTPS certificate from a Data Bag
 
 ```ruby
 name "owncloud_ssl_data_bag"
@@ -509,7 +519,7 @@ run_list(
 )
 ```
 
-### Custom SSL certificate from Chef Vault
+### Custom HTTPS certificate from Chef Vault
 
 ```ruby
 name "owncloud_ssl_chef_vault"
@@ -537,7 +547,7 @@ run_list(
 )
 ```
 
-### Custom SSL certificate from file
+### Custom HTTPS certificate from file
 
 This is usefull if you create the certificate on another cookbook.
 

diff --git a/libraries/certificate.rb b/libraries/certificate.rb
diff --git a/libraries/recipe_helpers.rb b/libraries/recipe_helpers.rb
diff --git a/metadata.rb b/metadata.rb
@@ -22,6 +22,7 @@
 depends 'php-fpm', '~> 0.7'
 depends 'postfix', '~> 3.0'
 depends 'postgresql', '~> 3.4'
+depends 'ssl_certificate', '~> 1.1'
 
 suggests 'git'
 

diff --git a/recipes/_apache.rb b/recipes/_apache.rb
@@ -17,8 +17,6 @@
 # limitations under the License.
 #
 
-Chef::Recipe.send(:include, OwnCloud::RecipeHelpers)
-
 #==============================================================================
 # Set up Apache httpd webserver
 #==============================================================================
@@ -47,7 +45,10 @@
 if node['owncloud']['ssl']
   include_recipe 'apache2::mod_ssl'
 
-  ssl_key_path, ssl_cert_path = generate_certificate
+  cert = ssl_certificate 'owncloud' do
+    namespace node['owncloud']
+    notifies :restart, 'service[apache2]'
+  end
 
   # Create SSL virtualhost
   web_app 'owncloud-ssl' do
@@ -56,8 +57,10 @@
     server_name node['owncloud']['server_name']
     server_aliases node['owncloud']['server_aliases']
     port '443'
-    ssl_key ssl_key_path
-    ssl_cert ssl_cert_path
+    ssl_key cert.key_path
+    ssl_cert cert.cert_path
+    ssl_chain cert.chain_path
+    ssl true
     max_upload_size node['owncloud']['max_upload_size']
     sendfile node['owncloud']['sendfile']
     enable true

diff --git a/recipes/_nginx.rb b/recipes/_nginx.rb
@@ -17,8 +17,6 @@
 # limitations under the License.
 #
 
-Chef::Recipe.send(:include, OwnCloud::RecipeHelpers)
-
 #==============================================================================
 # Set up nginx webserver
 #==============================================================================
@@ -58,7 +56,10 @@
 
 # SSL certs and port
 if node['owncloud']['ssl']
-  ssl_key_path, ssl_cert_path = generate_certificate
+  cert = ssl_certificate 'owncloud' do
+    namespace node['owncloud']
+    notifies :restart, 'service[nginx]' # TODO: reload?
+  end
 
   # Create virtualhost for ownCloud
   template File.join(node['nginx']['dir'], 'sites-available', 'owncloud-ssl') do
@@ -73,8 +74,9 @@
       :docroot => node['owncloud']['dir'],
       :port => 443,
       :fastcgi_pass => fastcgi_pass,
-      :ssl_key => ssl_key_path,
-      :ssl_cert => ssl_cert_path,
+      :ssl_key => cert.key_path,
+      :ssl_cert => cert.chain_combined_path,
+      :ssl => true,
       :max_upload_size => node['owncloud']['max_upload_size'],
       :sendfile => node['owncloud']['sendfile']
     )

diff --git a/templates/default/apache_vhost.erb b/templates/default/apache_vhost.erb
@@ -1,3 +1,5 @@
+# Generated by Chef
+
 <VirtualHost *:<%= @params[:port] ? @params[:port] : '80' %>>
   ServerAdmin <%= node['apache']['contact'] %>
 <% if @params[:server_name].kind_of? String -%>
@@ -23,26 +25,10 @@
   ErrorLog <%= node['apache']['log_dir'] %>/<%= @params[:name] %>-error.log
   CustomLog <%= node['apache']['log_dir'] %>/<%= @params[:name] %>-access.log combined
 
-<% if @params[:port].to_s == '443' -%>
-  # ----------------- #
-  # SSL Configuration #
-  # ----------------- #
-
-  SSLEngine on
-
-  SSLCertificateFile    <%= @params[:ssl_cert] %>
-  SSLCertificateKeyFile <%= @params[:ssl_key] %>
-
-  BrowserMatch "MSIE [2-6]" \
-    nokeepalive ssl-unclean-shutdown \
-    downgrade-1.0 force-response-1.0
-  # MSIE 7 and newer should be able to use keepalive
-  BrowserMatch "MSIE [17-9]" ssl-unclean-shutdown
-
-  # Accept strong encryption only
-  SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4+RSA:+HIGH:+MEDIUM
-
+<% if @params[:ssl] -%>
+  <%= render 'apache.erb', cookbook: 'ssl_certificate', variables: @params.merge(node: node) %>
 <% end -%>
+
 <% if @params[:max_upload_size] -%>
   <IfModule mod_php5.c>
     php_admin_value upload_max_filesize "<%= @params[:max_upload_size] %>"