summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorelijah <elijah@riseup.net>2017-05-26 16:41:51 -0700
committerMicah Anderson <micah@riseup.net>2017-05-30 17:21:52 -0400
commit1e463c6638a05a237d660f458f5a147353be3fc1 (patch)
tree66eb49ffa0c44882d8a380795bbaa36003907911
parent2533f6f978bd3f0ee8187ee8827eb94b7e696377 (diff)
static - support for renewing certs with let's encrypt for static sites
-rw-r--r--lib/leap_cli/commands/cert.rb54
-rw-r--r--provider_base/common.json3
-rw-r--r--provider_base/services/static.rb2
-rw-r--r--provider_base/services/webapp.json3
-rw-r--r--provider_base/services/webapp.rb2
-rw-r--r--puppet/modules/site_static/manifests/domain.pp13
-rw-r--r--puppet/modules/site_static/templates/apache.conf.erb10
7 files changed, 55 insertions, 32 deletions
diff --git a/lib/leap_cli/commands/cert.rb b/lib/leap_cli/commands/cert.rb
index 1c67ae67..81f45eb5 100644
--- a/lib/leap_cli/commands/cert.rb
+++ b/lib/leap_cli/commands/cert.rb
@@ -337,31 +337,41 @@ module LeapCli; module Commands
# This method will bail if any checks fail.
#
def domain_ready_for_acme!(domain)
- begin
- uri = URI("https://#{domain}/.well-known/acme-challenge/ok")
- options = {
- use_ssl: true,
- open_timeout: 5,
- verify_mode: OpenSSL::SSL::VERIFY_NONE
- }
- Net::HTTP.start(uri.host, uri.port, options) do |http|
- http.request(Net::HTTP::Get.new(uri)) do |response|
- if !response.is_a?(Net::HTTPSuccess)
- bail!(:error, "Could not GET %s" % uri) do
- log "%s %s" % [response.code, response.message]
- log "You may need to run `leap deploy`"
- end
+ uri = URI("https://#{domain}/.well-known/acme-challenge/ok")
+ options = {
+ use_ssl: true,
+ open_timeout: 5,
+ verify_mode: OpenSSL::SSL::VERIFY_NONE
+ }
+ http_get(uri, options)
+ end
+
+ private
+
+ def http_get(uri, options, limit = 10)
+ raise ArgumentError, "HTTP redirect too deep (#{uri})" if limit == 0
+ Net::HTTP.start(uri.host, uri.port, options) do |http|
+ http.request(Net::HTTP::Get.new(uri)) do |response|
+ case response
+ when Net::HTTPSuccess then
+ return response
+ when Net::HTTPRedirection then
+ return http_get(URI(response['location']), options, limit - 1)
+ else
+ bail!(:error, "Could not GET %s" % uri) do
+ log "%s %s" % [response.code, response.message]
+ log "You may need to run `leap deploy`"
end
end
end
- rescue Errno::ETIMEDOUT, Net::OpenTimeout
- bail! :error, "Connection attempt timed out: %s" % uri
- rescue Interrupt
- bail!
- rescue StandardError => exc
- bail!(:error, "Could not GET %s" % uri) do
- log exc.to_s
- end
+ end
+ rescue Errno::ETIMEDOUT, Net::OpenTimeout
+ bail! :error, "Connection attempt timed out: %s" % uri
+ rescue Interrupt
+ bail!
+ rescue StandardError => exc
+ bail!(:error, "Could not GET %s" % uri) do
+ log exc.to_s
end
end
diff --git a/provider_base/common.json b/provider_base/common.json
index 41e1daa3..97519950 100644
--- a/provider_base/common.json
+++ b/provider_base/common.json
@@ -12,7 +12,8 @@
"name": "= node.name + '.' + (dns.public ? domain.full_suffix : domain.internal_suffix)"
},
"dns": {
- "public": "= service_type != 'internal_service'"
+ "public": "= service_type != 'internal_service'",
+ "aliases": []
},
"ssh": {
"authorized_keys": "= authorized_keys",
diff --git a/provider_base/services/static.rb b/provider_base/services/static.rb
new file mode 100644
index 00000000..d020ba26
--- /dev/null
+++ b/provider_base/services/static.rb
@@ -0,0 +1,2 @@
+self['dns']['aliases'] += self.static.domains.keys
+self['dns']['aliases'].uniq!
diff --git a/provider_base/services/webapp.json b/provider_base/services/webapp.json
index 36f161b1..ac58ac12 100644
--- a/provider_base/services/webapp.json
+++ b/provider_base/services/webapp.json
@@ -71,9 +71,6 @@
},
"port": 6425
},
- "dns": {
- "aliases": "= [domain.full, webapp.domain, api.domain, nickserver.domain]"
- },
"x509": {
"use": true,
"use_commercial": true,
diff --git a/provider_base/services/webapp.rb b/provider_base/services/webapp.rb
new file mode 100644
index 00000000..a5f10a2d
--- /dev/null
+++ b/provider_base/services/webapp.rb
@@ -0,0 +1,2 @@
+self['dns']['aliases'] += [domain.full, webapp.domain, api.domain, nickserver.domain]
+self['dns']['aliases'].uniq!
diff --git a/puppet/modules/site_static/manifests/domain.pp b/puppet/modules/site_static/manifests/domain.pp
index 6cf2c653..e456c94e 100644
--- a/puppet/modules/site_static/manifests/domain.pp
+++ b/puppet/modules/site_static/manifests/domain.pp
@@ -1,25 +1,30 @@
# configure static service for domain
define site_static::domain (
- $ca_cert,
+ $ca_cert=undef,
$key,
$cert,
$tls_only=true,
$use_hidden_service=false,
$locations=undef,
$aliases=undef,
- $apache_config=undef) {
+ $apache_config=undef,
+ $www_alias=false) {
$domain = $name
$base_dir = '/srv/static'
- $cafile = "${cert}\n${ca_cert}"
+ if ($ca_cert) {
+ $certfile = "${cert}\n${ca_cert}"
+ } else {
+ $certfile = $cert
+ }
if is_hash($locations) {
create_resources(site_static::location, $locations)
}
x509::cert { $domain:
- content => $cafile,
+ content => $certfile,
notify => Service[apache]
}
x509::key { $domain:
diff --git a/puppet/modules/site_static/templates/apache.conf.erb b/puppet/modules/site_static/templates/apache.conf.erb
index dd04ca43..eb21e4c9 100644
--- a/puppet/modules/site_static/templates/apache.conf.erb
+++ b/puppet/modules/site_static/templates/apache.conf.erb
@@ -80,7 +80,9 @@
##
<VirtualHost 127.0.0.1:80>
ServerName <%= @tor_domain %>
+<%- if @www_alias -%>
ServerAlias www.<%= @tor_domain %>
+<%- end -%>
<IfModule mod_headers.c>
Header set X-Frame-Options "deny"
@@ -102,7 +104,9 @@
##
<VirtualHost *:80>
ServerName <%= @domain %>
- ServerAlias www.<%= @domain %>
+<%- if @www_alias -%>
+ ServerAlias www.<%= @tor_domain %>
+<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
<%- end -%>
@@ -122,7 +126,9 @@
##
<VirtualHost *:443>
ServerName <%= @domain %>
- ServerAlias www.<%= @domain %>
+<%- if @www_alias -%>
+ ServerAlias www.<%= @tor_domain %>
+<%- end -%>
<%- @aliases && @aliases.each do |domain_alias| -%>
ServerAlias <%= domain_alias %>
<%- end -%>