[erp5] don't use caucase generated certificate for now

The certificates generated by caucase are not supported by Caddy (see https://www.erp5.com/project_section/vifib/forum/Problem-with-caddy-frontend-and-caucase-0.95-issued-certificate-UNinzubDv0) /cc @rafael @alain.takoudjou /reviewed-on nexedi/slapos!531

[erp5] don't use caucase generated certificate for now
The certificates generated by caucase are not supported by Caddy (see https://www.erp5.com/project_section/vifib/forum/Problem-with-caddy-frontend-and-caucase-0.95-issued-certificate-UNinzubDv0) /cc @rafael @alain.takoudjou /reviewed-on nexedi/slapos!531
f8f72a17 · Thomas Gambier · Łukasz Nowak · 039ba746 · f8f72a17 · f8f72a17
Commit f8f72a17 authored Mar 12, 2019 by Thomas Gambier 🚴🏼 Committed by Łukasz Nowak Mar 12, 2019
Hide whitespace changes
Inline Side-by-side

Showing with 21 additions and 5 deletions

stack/erp5/buildout.hash.cfg stack/erp5/buildout.hash.cfg +1 -1

stack/erp5/instance-balancer.cfg.in stack/erp5/instance-balancer.cfg.in +20 -4

No files found.
--- a/stack/erp5/buildout.hash.cfg
+++ b/stack/erp5/buildout.hash.cfg
@@ -86,7 +86,7 @@ md5sum = 3a6c7dec898abc7d1506957154ef566e

 [template-balancer]
 filename = instance-balancer.cfg.in
-md5sum = 7fcedcacb0558e770cbb1c1d63322ea4
+md5sum = a2f795e5ed9537951ee70114111930b0

 [template-haproxy-cfg]
 filename = haproxy.cfg.in

--- a/stack/erp5/instance-balancer.cfg.in
+++ b/stack/erp5/instance-balancer.cfg.in
@@ -26,10 +26,10 @@ mode = 644
     updater_path='${directory:services-on-watch}/caucase-updater',
     url=ssl_parameter_dict['caucase-url'],
     data_dir='${directory:srv}/caucase-updater',
-     crt_path='${apache-conf-ssl:cert}',
+     crt_path='${apache-conf-ssl:caucase-cert}',
     ca_path='${apache-conf-ssl:ca-cert}',
     crl_path='${apache-conf-ssl:crl}',
-     key_path='${apache-conf-ssl:key}',
+     key_path='${apache-conf-ssl:caucase-key}',
     on_renew='${apache-graceful:output}',
     max_sleep=ssl_parameter_dict.get('max-crl-update-delay', 1.0),
     template_csr_pem=ssl_parameter_dict.get('csr'),
@@ -118,9 +118,25 @@ hash-files = ${haproxy-cfg:rendered}
 [apache-conf-ssl]
 cert = ${directory:apache-conf}/apache.crt
 key = ${directory:apache-conf}/apache.pem
+# XXX caucase certificate is not supported by caddy for now
+caucase-cert = ${directory:apache-conf}/apache-caucase.crt
+caucase-key = ${directory:apache-conf}/apache-caucase.pem
 ca-cert =  ${directory:apache-conf}/ca.crt
 crl = ${directory:apache-conf}/crl.pem

+[apache-ssl]
+{% if ssl_parameter_dict.get('key') -%}
+key = ${apache-ssl-key:rendered}
+cert = ${apache-ssl-cert:rendered}
+{{ simplefile('apache-ssl-key', '${apache-conf-ssl:key}', ssl_parameter_dict['key']) }}
+{{ simplefile('apache-ssl-cert', '${apache-conf-ssl:cert}', ssl_parameter_dict['cert']) }}
+{% else %}
+recipe = plone.recipe.command
+command = "{{ parameter_dict['openssl'] }}/bin/openssl" req -newkey rsa -batch -new -x509 -days 3650 -nodes -keyout "${:key}" -out "${:cert}"
+key = ${apache-conf-ssl:key}
+cert = ${apache-conf-ssl:cert}
+{%- endif %}
+
 [apache-conf-parameter-dict]
 backend-list = {{ dumps(apache_dict.values()) }}
 zope-virtualhost-monster-backend-dict = {{ dumps(zope_virtualhost_monster_backend_dict) }}
@@ -132,8 +148,8 @@ access-log = ${directory:log}/apache-access.log
 # Apache 2.4's default value (60 seconds) can be a bit too short
 timeout = 300
 # Basic SSL server configuration
-cert = ${apache-conf-ssl:cert}
-key = ${apache-conf-ssl:key}
+cert = ${apache-ssl:cert}
+key = ${apache-ssl:key}
 cipher =
 ssl-session-cache = ${directory:log}/apache-ssl-session-cache
 # Client x509 auth