From f8f72a17eaea0e2d22478dd97fbbec120b544508 Mon Sep 17 00:00:00 2001
From: Thomas Gambier <thomas.gambier@nexedi.com>
Date: Tue, 12 Mar 2019 12:20:39 +0100
Subject: [PATCH] [erp5] don't use caucase generated certificate for now

The certificates generated by caucase are not supported by Caddy (see https://www.erp5.com/project_section/vifib/forum/Problem-with-caddy-frontend-and-caucase-0.95-issued-certificate-UNinzubDv0)

/cc @rafael @alain.takoudjou

/reviewed-on https://lab.nexedi.com/nexedi/slapos/merge_requests/531
---
 stack/erp5/buildout.hash.cfg        |  2 +-
 stack/erp5/instance-balancer.cfg.in | 24 ++++++++++++++++++++----
 2 files changed, 21 insertions(+), 5 deletions(-)

diff --git a/stack/erp5/buildout.hash.cfg b/stack/erp5/buildout.hash.cfg
index 0769bce84..016f38ee8 100644
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e
 
 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 7fcedcacb0558e770cbb1c1d63322ea4
+md5sum = a2f795e5ed9537951ee70114111930b0
 
 [template-haproxy-cfg]
 filename = haproxy.cfg.in
diff --git a/stack/erp5/instance-balancer.cfg.in b/stack/erp5/instance-balancer.cfg.in
index 2752f1fba..25156db54 100644
--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -26,10 +26,10 @@ mode = 644
      updater_path='${directory:services-on-watch}/caucase-updater',
      url=ssl_parameter_dict['caucase-url'],
      data_dir='${directory:srv}/caucase-updater',
-     crt_path='${apache-conf-ssl:cert}',
+     crt_path='${apache-conf-ssl:caucase-cert}',
      ca_path='${apache-conf-ssl:ca-cert}',
      crl_path='${apache-conf-ssl:crl}',
-     key_path='${apache-conf-ssl:key}',
+     key_path='${apache-conf-ssl:caucase-key}',
      on_renew='${apache-graceful:output}',
      max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
      template_csr_pem=ssl_parameter_dict.get('csr'),
@@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered}
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
+# XXX caucase certificate is not supported by caddy for now
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
 ca-cert =  ${directory:apache-conf}/ca.crt
 crl = ${directory:apache-conf}/crl.pem
 
+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:rendered}
+cert = ${apache-ssl-cert:rendered}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
@@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log
 # Apache 2.4's default value (60 seconds) can be a bit too short
 timeout = 300
 # Basic SSL server configuration
-cert = ${apache-conf-ssl:cert}
-key = ${apache-conf-ssl:key}
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 # Client x509 auth
-- 
2.30.9