allow the use of a separate ca chain file

Internet2 · Nov 14, 2019 · 0dc16b3 · 0dc16b3
1 parent d95df92
commit 0dc16b3
Show file tree

Hide file tree

Showing 12 changed files with 49 additions and 8 deletions.
diff --git a/comanage-registry-base/comanage_utils.sh b/comanage-registry-base/comanage_utils.sh
@@ -103,6 +103,7 @@ function comanage_utils::consume_injected_environment() {
         COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN
         HTTPS_CERT_FILE
         HTTPS_PRIVKEY_FILE
+        HTTPS_CHAIN_FILE
         SERVER_NAME
     )
 
@@ -333,6 +334,7 @@ EOF
 # Globals:
 #   HTTPS_CERT_FILE
 #   HTTPS_PRIVKEY_FILE
+#   HTTPS_CHAIN_FILE
 # Arguments:
 #   None
 # Returns:
@@ -347,10 +349,14 @@ function comanage_utils::prepare_https_cert_key() {
     if [[ -e '/etc/debian_version' ]]; then
         cert_path='/etc/apache2/cert.pem'
         privkey_path='/etc/apache2/privkey.pem'
+        chain_path='/etc/apache2/ca-chain.pem'
+        ssl_conf_file='/etc/apache2/sites-available/000-comanage.conf'
         web_user='www-data'
     elif [[ -e '/etc/centos-release' ]]; then
         cert_path='/etc/httpd/cert.pem'
         privkey_path='/etc/httpd/privkey.pem'
+        chain_path='/etc/httpd/ca-chain.pem'
+        ssl_conf_file='/etc/httpd/conf.d/000-comanage.conf'
         web_user='apache'
     fi
 
@@ -374,6 +380,21 @@ function comanage_utils::prepare_https_cert_key() {
         echo "Copied HTTPS private key file ${HTTPS_PRIVKEY_FILE} to ${privkey_path}" > "$OUTPUT"
         echo "Set ownership of ${privkey_path} to ${web_user}" > "$OUTPUT"
     fi
+
+    # If a chain file is defined, use configured location of the Apache HTTP
+    # Server certificate chain and uncomment the SSLCertificateChainFile
+    # option from the apache config file
+    if [[ -n "${HTTPS_CHAIN_FILE}" ]]; then
+        rm -f "${chain_path}"
+        cp "${HTTPS_CHAIN_FILE}" "${chain_path}"
+        chown "${web_user}" "${chain_path}"
+        chmod 0644 "${chain_path}"
+        sed -i -e 's/^#SSLCertificateChainFile/SSLCertificateChainFile' ${ssl_config_file}
+        sed -i -e "s/%%CHAIN_PATH%%/${chain_path}" ${ssl_config_file}
+        echo "Copied HTTPS CA Chain file ${HTTPS_CHAIN_FILE} to ${chain_path}" > "$OUTPUT"
+        echo "Set ownership of ${chain_path} to ${web_user}" > "$OUTPUT"
+        echo "Configured apache to use SSLCertificateChainFile=${chain_path}" > "$OUTPUT"
+    fi
 }
 
 ##########################################

diff --git a/comanage-registry-basic-auth/000-comanage.conf b/comanage-registry-basic-auth/000-comanage.conf
@@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base
 
 SSLCertificateFile /etc/apache2/cert.pem
 SSLCertificateKeyFile /etc/apache2/privkey.pem
+#SSLCertificateChainFile %%CHAIN_PATH%%
 
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

diff --git a/comanage-registry-basic-auth/README.md b/comanage-registry-basic-auth/README.md
@@ -120,8 +120,8 @@ stderr of the container.
 
 ## HTTPS Configuration
 
-See the section on environment variables and the `HTTPS_CERT_FILE` and
-`HTTPS_PRIVKEY_FILE` variables.
+See the section on environment variables and the `HTTPS_CERT_FILE`,
+`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables.
 
 Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any)
 and associated private key file. For example

diff --git a/comanage-registry-internet2-tier/000-comanage.conf b/comanage-registry-internet2-tier/000-comanage.conf
@@ -30,6 +30,7 @@ Include apache-include-virtual-host-port443-base
 
 SSLCertificateFile /etc/httpd/cert.pem
 SSLCertificateKeyFile /etc/httpd/privkey.pem
+#SSLCertificateChainFile %%CHAIN_PATH%%
 
 PassEnv ENV
 PassEnv USERTOKEN

diff --git a/comanage-registry-internet2-tier/README.md b/comanage-registry-internet2-tier/README.md
@@ -147,8 +147,8 @@ The logging configuration meets version 1 of the
 
 ## HTTPS Configuration
 
-See the section on environment variables and the `HTTPS_CERT_FILE` and
-`HTTPS_PRIVKEY_FILE` variables.
+See the section on environment variables and the `HTTPS_CERT_FILE`,
+`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables.
 
 Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any)
 and associated private key file. For example

diff --git a/comanage-registry-mailman/apache-shib/httpd.conf b/comanage-registry-mailman/apache-shib/httpd.conf
@@ -118,6 +118,7 @@ TransferLog /proc/self/fd/1
 SSLEngine on
 SSLCertificateFile "/usr/local/apache2/conf/server.crt"
 SSLCertificateKeyFile "/usr/local/apache2/conf/server.key"
+#SSLCertificateChainFile "/usr/local/apache2/conf/ca-chain.crt"
 
 BrowserMatch "MSIE [2-5]" \
          nokeepalive ssl-unclean-shutdown \

diff --git a/comanage-registry-mailman/apache-shib/start.sh b/comanage-registry-mailman/apache-shib/start.sh
@@ -55,6 +55,13 @@ if [ -n "${HTTPS_CERT_FILE}" ] && [ -n "${HTTPS_KEY_FILE}" ]; then
     chmod 600 /usr/local/apache2/conf/server.key
 fi
 
+# Copy HTTPS chain file into place.
+if [ -n "${HTTPS_CHAIN_FILE}" ]; then
+    cp "${HTTPS_CHAIN_FILE}" /usr/local/apache2/conf/ca-chain.crt
+    chmod 644 /usr/local/apache2/conf/ca-chain.crt
+    sed -i -e 's/^#SSLCertificateChainFile/SSLCertificateChainFile' /usr/local/apache2/conf/httpd.conf
+fi
+
 # Wait for the mailman core container to be ready.
 until nc -z -w 1 "${MAILMAN_CORE_HOST}" "${MAILMAN_CORE_PORT}"
 do

diff --git a/comanage-registry-mod-auth-openidc/000-comanage.conf b/comanage-registry-mod-auth-openidc/000-comanage.conf
@@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base
 
 SSLCertificateFile /etc/apache2/cert.pem
 SSLCertificateKeyFile /etc/apache2/privkey.pem
+#SSLCertificateChainFile %%CHAIN_PATH%%
 
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

diff --git a/comanage-registry-mod-auth-openidc/README.md b/comanage-registry-mod-auth-openidc/README.md
@@ -139,8 +139,8 @@ stderr of the container.
 
 ## HTTPS Configuration
 
-See the section on environment variables and the `HTTPS_CERT_FILE` and
-`HTTPS_PRIVKEY_FILE` variables.
+See the section on environment variables and the `HTTPS_CERT_FILE`,
+`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables.
 
 Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any)
 and associated private key file. For example

diff --git a/comanage-registry-shibboleth-sp/000-comanage.conf b/comanage-registry-shibboleth-sp/000-comanage.conf
@@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base
 
 SSLCertificateFile /etc/apache2/cert.pem
 SSLCertificateKeyFile /etc/apache2/privkey.pem
+#SSLCertificateChainFile %%CHAIN_PATH%%
 
 ErrorLog ${APACHE_LOG_DIR}/error.log
 CustomLog ${APACHE_LOG_DIR}/access.log combined

diff --git a/comanage-registry-shibboleth-sp/README.md b/comanage-registry-shibboleth-sp/README.md
@@ -125,8 +125,8 @@ stderr of the container.
 
 ## HTTPS Configuration
 
-See the section on environment variables and the `HTTPS_CERT_FILE` and
-`HTTPS_PRIVKEY_FILE` variables.
+See the section on environment variables and the `HTTPS_CERT_FILE`,
+`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables.
 
 Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any)
 and associated private key file. For example

diff --git a/docs/comanage-registry-common-environment-variables.md b/docs/comanage-registry-common-environment-variables.md
@@ -209,6 +209,14 @@ edited directly.
 * Example: /run/secrets/https_privkey_file
 * Note: The path is relative to the running container.
 
+```HTTPS_CHAIN_FILE```
+
+* Description: path to file containing x509 certificate signing chain for HTTPS, if not specified then `HTTPS_CERT_FILE` much contain a full signing chain for the certificate.
+* Required: no
+* Default: none
+* Example: /run/secrets/https_chain_file
+* Note: The path is relative to the running container.
+
 
 ```SERVER_NAME```