diff options
23 files changed, 153 insertions, 190 deletions
| diff --git a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb index bc5ff156..5f1f4c1d 100644 --- a/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb +++ b/puppet/modules/site_apache/templates/vhosts.d/api.conf.erb @@ -15,9 +15,9 @@ Listen 0.0.0.0:<%= api_port %>    SSLHonorCipherOrder on    SSLCACertificatePath /etc/ssl/certs -  SSLCertificateChainFile /etc/ssl/certs/leap_api.pem -  SSLCertificateKeyFile /etc/x509/keys/leap_api.key -  SSLCertificateFile /etc/x509/certs/leap_api.crt +  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt +  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key +  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt    RequestHeader set X_FORWARDED_PROTO 'https' diff --git a/puppet/modules/site_config/manifests/default.pp b/puppet/modules/site_config/manifests/default.pp index 83a344a2..b27e99af 100644 --- a/puppet/modules/site_config/manifests/default.pp +++ b/puppet/modules/site_config/manifests/default.pp @@ -62,6 +62,4 @@ class site_config::default {      include site_squid_deb_proxy::client    } -  include site_config::x509 -  } diff --git a/puppet/modules/site_config/manifests/x509.pp b/puppet/modules/site_config/manifests/x509.pp deleted file mode 100644 index 8eca97e7..00000000 --- a/puppet/modules/site_config/manifests/x509.pp +++ /dev/null @@ -1,28 +0,0 @@ -class site_config::x509 { - -  $x509      = hiera('x509') -  $key       = $x509['key'] -  $cert      = $x509['cert'] -  $ca        = $x509['ca_cert'] -  $client_ca = $x509['client_ca_cert'] - -  x509::key { $site_config::params::cert_name: -    content => $key -  } - -  x509::cert { $site_config::params::cert_name: -    content => $cert -  } - -  x509::ca { $site_config::params::ca_name: -    content => $ca -  } - -  x509::ca { $site_config::params::client_ca_name: -    content => $client_ca -  } - -  x509::ca { $site_config::params::ca_bundle_name: -    content => "${ca}${client_ca}" -  } -} diff --git a/puppet/modules/site_config/manifests/x509/ca.pp b/puppet/modules/site_config/manifests/x509/ca.pp new file mode 100644 index 00000000..b16d0eeb --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca.pp @@ -0,0 +1,9 @@ +class site_config::x509::ca { + +  $x509      = hiera('x509') +  $ca        = $x509['ca_cert'] + +  x509::ca { $site_config::params::ca_name: +    content => $ca +  } +} diff --git a/puppet/modules/site_config/manifests/x509/ca_bundle.pp b/puppet/modules/site_config/manifests/x509/ca_bundle.pp new file mode 100644 index 00000000..4cbe574a --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/ca_bundle.pp @@ -0,0 +1,16 @@ +class site_config::x509::ca_bundle { + +  # CA bundle -- we want to have the possibility of allowing multiple CAs. +  # For now, the reason is to transition to using client CA. In the future, +  # we will want to be able to smoothly phase out one CA and phase in another. +  # I tried "--capath" for this, but it did not work. + + +  $x509      = hiera('x509') +  $ca        = $x509['ca_cert'] +  $client_ca = $x509['client_ca_cert'] + +  x509::ca { $site_config::params::ca_bundle_name: +    content => "${ca}${client_ca}" +  } +} diff --git a/puppet/modules/site_config/manifests/x509/cert_key.pp b/puppet/modules/site_config/manifests/x509/cert_key.pp new file mode 100644 index 00000000..d55c6cf2 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/cert_key.pp @@ -0,0 +1,15 @@ +class site_config::x509::cert_key { + +  $x509      = hiera('x509') +  $key       = $x509['key'] +  $cert      = $x509['cert'] + +  x509::key { $site_config::params::cert_name: +    content => $key +  } + +  x509::cert { $site_config::params::cert_name: +    content => $cert +  } + +} diff --git a/puppet/modules/site_config/manifests/x509/client_ca.pp b/puppet/modules/site_config/manifests/x509/client_ca.pp new file mode 100644 index 00000000..3e914cf5 --- /dev/null +++ b/puppet/modules/site_config/manifests/x509/client_ca.pp @@ -0,0 +1,14 @@ +class site_config::x509::client_ca { + +  ## +  ## This is for the special CA that is used exclusively for generating +  ## client certificates by the webapp. +  ## + +  $x509      = hiera('x509') +  $client_ca = $x509['client_ca_cert'] + +  x509::ca { $site_config::params::client_ca_name: +    content => $client_ca +  } +} diff --git a/puppet/modules/site_couchdb/manifests/stunnel.pp b/puppet/modules/site_couchdb/manifests/stunnel.pp index 993555cb..7ba303fe 100644 --- a/puppet/modules/site_couchdb/manifests/stunnel.pp +++ b/puppet/modules/site_couchdb/manifests/stunnel.pp @@ -18,6 +18,11 @@ class site_couchdb::stunnel {    $ednp_server_connect  = $ednp_server['connect']    $ednp_clients         = $stunnel['ednp_clients'] + + +  include site_config::x509::cert_key +  include site_config::x509::ca +    include x509::variables    $ca_path   = "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt"    $cert_path = "${x509::variables::certs}/${site_config::params::cert_name}.crt" @@ -34,7 +39,10 @@ class site_couchdb::stunnel {      verify     => '2',      pid        => '/var/run/stunnel4/couchserver.pid',      rndfile    => '/var/lib/stunnel4/.rnd', -    debuglevel => '4' +    debuglevel => '4', +    require    => [ +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ];    } @@ -50,7 +58,10 @@ class site_couchdb::stunnel {      verify     => '2',      pid        => '/var/run/stunnel4/epmd_server.pid',      rndfile    => '/var/lib/stunnel4/.rnd', -    debuglevel => '4' +    debuglevel => '4', +    require    => [ +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ];    }    # setup stunnel clients for Erlang Port Mapper Daemon (epmd) to connect @@ -76,7 +87,10 @@ class site_couchdb::stunnel {      verify     => '2',      pid        => '/var/run/stunnel4/ednp_server.pid',      rndfile    => '/var/lib/stunnel4/.rnd', -    debuglevel => '4' +    debuglevel => '4', +    require    => [ +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ];    }    # setup stunnel clients for Erlang Distributed Node Protocol (ednp) to connect diff --git a/puppet/modules/site_mx/manifests/init.pp b/puppet/modules/site_mx/manifests/init.pp index 3d8469fd..527dc4a5 100644 --- a/puppet/modules/site_mx/manifests/init.pp +++ b/puppet/modules/site_mx/manifests/init.pp @@ -2,6 +2,11 @@ class site_mx {    tag 'leap_service'    Class['site_config::default'] -> Class['site_mx'] +  include site_config::x509::cert_key +  include site_config::x509::ca +  include site_config::x509::client_ca + +    include site_postfix::mx    include site_mx::haproxy    include site_shorewall::mx diff --git a/puppet/modules/site_nickserver/manifests/init.pp b/puppet/modules/site_nickserver/manifests/init.pp index 45503d8a..a12ed3a2 100644 --- a/puppet/modules/site_nickserver/manifests/init.pp +++ b/puppet/modules/site_nickserver/manifests/init.pp @@ -36,10 +36,10 @@ class site_nickserver {    # temporarily for now:    $domain          = hiera('domain')    $address_domain  = $domain['full_suffix'] -  $x509            = hiera('x509') -  $x509_key        = $x509['key'] -  $x509_cert       = $x509['cert'] -  $x509_ca         = $x509['ca_cert'] + + +  include site_config::x509::cert_key +  include site_config::x509::ca    #    # USER AND GROUP @@ -124,7 +124,10 @@ class site_nickserver {      enable     => true,      hasrestart => true,      hasstatus  => true, -    require    => File['/etc/init.d/nickserver']; +    require    => [ +      File['/etc/init.d/nickserver'], +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ];    }    # @@ -160,18 +163,4 @@ class site_nickserver {        content => template('site_nickserver/nickserver-proxy.conf.erb')    } -  x509::key { 'nickserver': -    content => $x509_key, -    notify  => Service[apache]; -  } - -  x509::cert { 'nickserver': -    content => $x509_cert, -    notify  => Service[apache]; -  } - -  x509::ca { 'nickserver': -    content => $x509_ca, -    notify  => Service[apache]; -  }  } diff --git a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb index 67896cd3..ae06410e 100644 --- a/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb +++ b/puppet/modules/site_nickserver/templates/nickserver-proxy.conf.erb @@ -14,9 +14,9 @@ Listen 0.0.0.0:<%= @nickserver_port -%>    SSLHonorCipherOrder on    SSLCACertificatePath /etc/ssl/certs -  SSLCertificateChainFile /etc/ssl/certs/nickserver.pem -  SSLCertificateKeyFile /etc/x509/keys/nickserver.key -  SSLCertificateFile /etc/x509/certs/nickserver.crt +  SSLCertificateChainFile <%= scope.lookupvar('x509::variables::local_CAs') %>/<%= scope.lookupvar('site_config::params::ca_name') %>.crt +  SSLCertificateKeyFile <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key +  SSLCertificateFile <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt    ProxyPass / http://localhost:<%= @nickserver_local_port %>/    ProxyPreserveHost On  # preserve Host header in HTTP request diff --git a/puppet/modules/site_openvpn/manifests/dh_key.pp b/puppet/modules/site_openvpn/manifests/dh_key.pp new file mode 100644 index 00000000..13cc0f5b --- /dev/null +++ b/puppet/modules/site_openvpn/manifests/dh_key.pp @@ -0,0 +1,10 @@ +class site_openvpn::dh_key { + +  $x509_config      = hiera('x509') + +  file { '/etc/openvpn/keys/dh.pem': +    content => $x509_config['dh'], +    mode    => '0644', +  } + +} diff --git a/puppet/modules/site_openvpn/manifests/init.pp b/puppet/modules/site_openvpn/manifests/init.pp index fe5ef87f..6ab0d430 100644 --- a/puppet/modules/site_openvpn/manifests/init.pp +++ b/puppet/modules/site_openvpn/manifests/init.pp @@ -20,10 +20,13 @@  class site_openvpn {    tag 'leap_service' +  include site_config::x509::cert_key +  include site_config::x509::ca_bundle + +    Class['site_config::default'] -> Class['site_openvpn'] -   +    $openvpn_config   = hiera('openvpn') -  $x509_config      = hiera('x509')    $openvpn_ports    = $openvpn_config['ports']    if $::ec2_instance_id { @@ -58,8 +61,8 @@ class site_openvpn {      $openvpn_limited_udp_cidr             = '21'    } -  # deploy ca + server keys -  include site_openvpn::keys +  # deploy dh keys +  include site_openvpn::dh_key    if $openvpn_allow_unlimited and $openvpn_allow_limited {      $unlimited_gateway_address = $openvpn_gateway_address @@ -134,7 +137,11 @@ class site_openvpn {      command     => '/etc/init.d/openvpn restart',      refreshonly => true,      subscribe   => File['/etc/openvpn'], -    require     => [ Package['openvpn'], File['/etc/openvpn'] ]; +    require     => [ +      Package['openvpn'], +      File['/etc/openvpn'], +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca_bundle'] ];    }    cron { 'add_gateway_ips.sh': diff --git a/puppet/modules/site_openvpn/manifests/keys.pp b/puppet/modules/site_openvpn/manifests/keys.pp deleted file mode 100644 index 864bbd9b..00000000 --- a/puppet/modules/site_openvpn/manifests/keys.pp +++ /dev/null @@ -1,45 +0,0 @@ -class site_openvpn::keys { - -  x509::key { -    'leap_openvpn': -      content => $site_openvpn::x509_config['key'], -      notify  => Service[openvpn]; -  } - -  x509::cert { -    'leap_openvpn': -      content => $site_openvpn::x509_config['cert'], -      notify  => Service[openvpn]; -  } - -  file { '/etc/openvpn/keys/dh.pem': -    content => $site_openvpn::x509_config['dh'], -    mode    => '0644', -  } - -  # -  # CA bundle -- we want to have the possibility of allowing multiple CAs. -  # For now, the reason is to transition to using client CA. In the future, -  # we will want to be able to smoothly phase out one CA and phase in another. -  # I tried "--capath" for this, but it did not work. -  # - -  concat { -    '/etc/openvpn/ca_bundle.pem': -      owner  => root, -      group  => root, -      mode   => 644, -      warn   => true, -      notify => Service['openvpn']; -  } - -  concat::fragment { -    'client_ca_cert': -      content => $site_openvpn::x509_config['client_ca_cert'], -      target  => '/etc/openvpn/ca_bundle.pem'; -    'ca_cert': -      content => $site_openvpn::x509_config['ca_cert'], -      target  => '/etc/openvpn/ca_bundle.pem'; -  } - -} diff --git a/puppet/modules/site_postfix/manifests/mx.pp b/puppet/modules/site_postfix/manifests/mx.pp index 4a7d66ed..32465e01 100644 --- a/puppet/modules/site_postfix/manifests/mx.pp +++ b/puppet/modules/site_postfix/manifests/mx.pp @@ -8,6 +8,9 @@ class site_postfix::mx {    $root_mail_recipient = $mx_hash['contact']    $postfix_smtp_listen = 'all' +  include site_config::x509::cert_key +  include site_config::x509::client_ca +    postfix::config {      'mydestination':        value => "\$myorigin, localhost, localhost.\$mydomain, ${domain}"; @@ -44,6 +47,9 @@ submission inet n        -       n       -       -       smtpd    -o smtpd_tls_security_level=encrypt    -o smtpd_recipient_restrictions=\$submission_recipient_restrictions    -o smtpd_helo_restrictions=\$submission_helo_restrictions", -    require             => Class['Site_config::X509'] +    require             => [ +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Client_ca'], +      User['vmail'] ]    }  } diff --git a/puppet/modules/site_stunnel/manifests/clients.pp b/puppet/modules/site_stunnel/manifests/clients.pp index ed766e1a..b2c8db1f 100644 --- a/puppet/modules/site_stunnel/manifests/clients.pp +++ b/puppet/modules/site_stunnel/manifests/clients.pp @@ -21,6 +21,10 @@ define site_stunnel::clients (      verify     => $verify,      pid        => "/var/run/stunnel4/${pid}.pid",      rndfile    => $rndfile, -    debuglevel => $debuglevel +    debuglevel => $debuglevel, +    require    => [ +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ]; +    }  } diff --git a/puppet/modules/site_webapp/manifests/apache.pp b/puppet/modules/site_webapp/manifests/apache.pp index 4331afe4..3dd1c4c7 100644 --- a/puppet/modules/site_webapp/manifests/apache.pp +++ b/puppet/modules/site_webapp/manifests/apache.pp @@ -8,9 +8,15 @@ class site_webapp::apache {    $commercial_key   = $x509['commercial_key']    $commercial_cert  = $x509['commercial_cert']    $commercial_root  = $x509['commercial_ca_cert'] -  $api_key          = $x509['key'] -  $api_cert         = $x509['cert'] -  $api_root         = $x509['ca_cert'] + +  include site_config::x509::cert_key +  include site_config::x509::ca + +  include x509::variables + +  X509::Cert[$site_config::params::cert_name] ~> Service[apache] +  X509::Key[$site_config::params::cert_name]  ~> Service[apache] +  X509::Ca[$site_config::params::ca_name]  ~> Service[apache]    class { '::apache': no_default_site => true, ssl => true } @@ -34,29 +40,17 @@ class site_webapp::apache {      'leap_webapp':        content => $commercial_key,        notify  => Service[apache]; - -    'leap_api': -      content => $api_key, -      notify  => Service[apache];    }    x509::cert {      'leap_webapp':        content => $commercial_cert,        notify  => Service[apache]; - -    'leap_api': -      content => $api_cert, -      notify  => Service[apache];    }    x509::ca {      'leap_webapp':        content => $commercial_root,        notify  => Service[apache]; - -    'leap_api': -      content => $api_root, -      notify  => Service[apache];    }  } diff --git a/puppet/modules/site_webapp/manifests/client_ca.pp b/puppet/modules/site_webapp/manifests/client_ca.pp deleted file mode 100644 index 0d9b15d6..00000000 --- a/puppet/modules/site_webapp/manifests/client_ca.pp +++ /dev/null @@ -1,25 +0,0 @@ -## -## This is for the special CA that is used exclusively for generating -## client certificates by the webapp. -## - -class site_webapp::client_ca { -  include x509::variables - -  $x509 = hiera('x509') -  $cert_path = "${x509::variables::certs}/leap_client_ca.crt" -  $key_path = "${x509::variables::keys}/leap_client_ca.key" - -  x509::key { -    'leap_client_ca': -      source => $x509['client_ca_key'], -      group  => 'leap-webapp', -      notify  => Service[apache]; -  } - -  x509::cert { -    'leap_client_ca': -      source => $x509['client_ca_cert'], -      notify  => Service[apache]; -  } -} diff --git a/puppet/modules/site_webapp/manifests/couchdb.pp b/puppet/modules/site_webapp/manifests/couchdb.pp index f9a4eb6b..5a5cccad 100644 --- a/puppet/modules/site_webapp/manifests/couchdb.pp +++ b/puppet/modules/site_webapp/manifests/couchdb.pp @@ -14,15 +14,6 @@ class site_webapp::couchdb {    $couch_client_connect    = $couch_client['connect']    include x509::variables -  $x509                    = hiera('x509') -  $key                     = $x509['key'] -  $cert                    = $x509['cert'] -  $ca                      = $x509['ca_cert'] -  $cert_name               = 'leap_couchdb' -  $ca_name                 = 'leap_ca' -  $ca_path                 = "${x509::variables::local_CAs}/${ca_name}.crt" -  $cert_path               = "${x509::variables::certs}/${cert_name}.crt" -  $key_path                = "${x509::variables::keys}/${cert_name}.key"    file {      '/srv/leap/webapp/config/couchdb.yml.admin': @@ -71,10 +62,10 @@ class site_webapp::couchdb {    $couchdb_stunnel_client_defaults = {      'connect_port' => $couch_client_connect, -    'client'     => true, -    'cafile'     => $ca_path, -    'key'        => $key_path, -    'cert'       => $cert_path, +    'client'       => true, +    'cafile'       => "${x509::variables::local_CAs}/${site_config::params::ca_name}.crt", +    'key'          => "${x509::variables::keys}/${site_config::params::cert_name}.key", +    'cert'         => "${x509::variables::certs}/${site_config::params::cert_name}.crt",    }    create_resources(site_stunnel::clients, $couch_client, $couchdb_stunnel_client_defaults) diff --git a/puppet/modules/site_webapp/manifests/init.pp b/puppet/modules/site_webapp/manifests/init.pp index 97a75010..4b06cea6 100644 --- a/puppet/modules/site_webapp/manifests/init.pp +++ b/puppet/modules/site_webapp/manifests/init.pp @@ -16,8 +16,9 @@ class site_webapp {    include site_config::ruby    include site_webapp::apache    include site_webapp::couchdb -  include site_webapp::client_ca    include site_webapp::haproxy +  include site_config::x509::cert_key +  include site_config::x509::ca    group { 'leap-webapp':      ensure    => present, diff --git a/puppet/modules/site_webapp/templates/config.yml.erb b/puppet/modules/site_webapp/templates/config.yml.erb index 05d62d41..0ce623fc 100644 --- a/puppet/modules/site_webapp/templates/config.yml.erb +++ b/puppet/modules/site_webapp/templates/config.yml.erb @@ -3,8 +3,8 @@ production:    admins: <%= @webapp['admins'].inspect %>    domain: <%= @provider_domain %>    force_ssl: <%= @webapp['secure'] %> -  client_ca_key: <%= scope.lookupvar('site_webapp::client_ca::key_path') %> -  client_ca_cert: <%= scope.lookupvar('site_webapp::client_ca::cert_path') %> +  client_ca_key: <%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key +  client_ca_cert: <%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt    secret_token: "<%= @secret_token %>"    client_cert_lifespan: <%= cert_options['life_span'].to_i %>    client_cert_bit_size: <%= cert_options['bit_size'].to_i %> diff --git a/puppet/modules/soledad/manifests/server.pp b/puppet/modules/soledad/manifests/server.pp index 393d416a..0c073443 100644 --- a/puppet/modules/soledad/manifests/server.pp +++ b/puppet/modules/soledad/manifests/server.pp @@ -9,29 +9,12 @@ class soledad::server {    $couchdb_user     = $couchdb['couchdb_admin_user']['username']    $couchdb_password = $couchdb['couchdb_admin_user']['password'] -  $x509      = hiera('x509') -  $x509_key  = $x509['key'] -  $x509_cert = $x509['cert'] -  $x509_ca   = $x509['ca_cert'] +  include site_config::x509::cert_key +  include site_config::x509::ca    $soledad      = hiera('soledad')    $soledad_port = $soledad['port'] -  x509::key { 'soledad': -    content => $x509_key, -    notify  => Service['soledad-server']; -  } - -  x509::cert { 'soledad': -    content => $x509_cert, -    notify  => Service['soledad-server']; -  } - -  x509::ca { 'soledad': -    content => $x509_ca, -    notify  => Service['soledad-server']; -  } -    #    # SOLEDAD CONFIG    # @@ -47,8 +30,9 @@ class soledad::server {    package { 'soledad-server':      ensure  => latest, -    require => [ Class['site_apt::preferences::twisted'], -                 Class['site_apt::leap_repo'] ]; +    require => [ +      Class['site_apt::preferences::twisted'], +      Class['site_apt::leap_repo'] ];    }    file { '/etc/default/soledad': @@ -65,7 +49,11 @@ class soledad::server {      enable     => true,      hasstatus  => true,      hasrestart => true, -    require    => [ Class['soledad'], Package['soledad-server'] ]; +    require    => [ +      Class['soledad'], +      Package['soledad-server'], +      Class['Site_config::X509::Cert_key'], +      Class['Site_config::X509::Ca'] ];    }    include site_shorewall::soledad diff --git a/puppet/modules/soledad/templates/default-soledad.erb b/puppet/modules/soledad/templates/default-soledad.erb index fd38903a..32504e38 100644 --- a/puppet/modules/soledad/templates/default-soledad.erb +++ b/puppet/modules/soledad/templates/default-soledad.erb @@ -1,5 +1,5 @@  # this file is managed by puppet  START=yes -CERT_PATH=/etc/x509/certs/soledad.crt -PRIVKEY_PATH=/etc/x509/keys/soledad.key +CERT_PATH=<%= scope.lookupvar('x509::variables::certs') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.crt +PRIVKEY_PATH=<%= scope.lookupvar('x509::variables::keys') %>/<%= scope.lookupvar('site_config::params::cert_name') %>.key  HTTPS_PORT=<%=@soledad_port%> | 
