From d85540d9465e392cd586a44e302d0d31f6375324 Mon Sep 17 00:00:00 2001 From: Duncan Brown Date: Thu, 14 Nov 2019 10:01:08 -0500 Subject: [PATCH] allow the use of a separate ca chain file --- comanage-registry-base/comanage_utils.sh | 21 +++++++++++++++++++ .../000-comanage.conf | 1 + comanage-registry-basic-auth/README.md | 4 ++-- .../000-comanage.conf | 1 + comanage-registry-internet2-tier/README.md | 4 ++-- .../apache-shib/httpd.conf | 1 + .../apache-shib/start.sh | 7 +++++++ .../000-comanage.conf | 1 + comanage-registry-mod-auth-openidc/README.md | 4 ++-- .../000-comanage.conf | 1 + comanage-registry-shibboleth-sp/README.md | 4 ++-- ...e-registry-common-environment-variables.md | 8 +++++++ 12 files changed, 49 insertions(+), 8 deletions(-) diff --git a/comanage-registry-base/comanage_utils.sh b/comanage-registry-base/comanage_utils.sh index a7d48f1..d8c0ff1 100644 --- a/comanage-registry-base/comanage_utils.sh +++ b/comanage-registry-base/comanage_utils.sh @@ -103,6 +103,7 @@ function comanage_utils::consume_injected_environment() { COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE + HTTPS_CHAIN_FILE SERVER_NAME ) @@ -333,6 +334,7 @@ EOF # Globals: # HTTPS_CERT_FILE # HTTPS_PRIVKEY_FILE +# HTTPS_CHAIN_FILE # Arguments: # None # Returns: @@ -347,10 +349,14 @@ function comanage_utils::prepare_https_cert_key() { if [[ -e '/etc/debian_version' ]]; then cert_path='/etc/apache2/cert.pem' privkey_path='/etc/apache2/privkey.pem' + chain_path='/etc/apache2/ca-chain.pem' + ssl_conf_file='/etc/apache2/sites-available/000-comanage.conf' web_user='www-data' elif [[ -e '/etc/centos-release' ]]; then cert_path='/etc/httpd/cert.pem' privkey_path='/etc/httpd/privkey.pem' + chain_path='/etc/httpd/ca-chain.pem' + ssl_conf_file='/etc/httpd/conf.d/000-comanage.conf' web_user='apache' fi @@ -374,6 +380,21 @@ function comanage_utils::prepare_https_cert_key() { echo "Copied HTTPS private key file ${HTTPS_PRIVKEY_FILE} to ${privkey_path}" > "$OUTPUT" echo "Set ownership of ${privkey_path} to ${web_user}" > "$OUTPUT" fi + + # If a chain file is defined, use configured location of the Apache HTTP + # Server certificate chain and uncomment the SSLCertificateChainFile + # option from the apache config file + if [[ -n "${HTTPS_CHAIN_FILE}" ]]; then + rm -f "${chain_path}" + cp "${HTTPS_CHAIN_FILE}" "${chain_path}" + chown "${web_user}" "${chain_path}" + chmod 0644 "${chain_path}" + sed -i -e 's/^#SSLCertificateChainFile/SSLCertificateChainFile' ${ssl_config_file} + sed -i -e "s/%%CHAIN_PATH%%/${chain_path}" ${ssl_config_file} + echo "Copied HTTPS CA Chain file ${HTTPS_CHAIN_FILE} to ${chain_path}" > "$OUTPUT" + echo "Set ownership of ${chain_path} to ${web_user}" > "$OUTPUT" + echo "Configured apache to use SSLCertificateChainFile=${chain_path}" > "$OUTPUT" + fi } ########################################## diff --git a/comanage-registry-basic-auth/000-comanage.conf b/comanage-registry-basic-auth/000-comanage.conf index 1973469..a6cd803 100644 --- a/comanage-registry-basic-auth/000-comanage.conf +++ b/comanage-registry-basic-auth/000-comanage.conf @@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base SSLCertificateFile /etc/apache2/cert.pem SSLCertificateKeyFile /etc/apache2/privkey.pem +#SSLCertificateChainFile %%CHAIN_PATH%% ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined diff --git a/comanage-registry-basic-auth/README.md b/comanage-registry-basic-auth/README.md index 8c0b7f3..391324b 100644 --- a/comanage-registry-basic-auth/README.md +++ b/comanage-registry-basic-auth/README.md @@ -120,8 +120,8 @@ stderr of the container. ## HTTPS Configuration -See the section on environment variables and the `HTTPS_CERT_FILE` and -`HTTPS_PRIVKEY_FILE` variables. +See the section on environment variables and the `HTTPS_CERT_FILE`, +`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables. Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example diff --git a/comanage-registry-internet2-tier/000-comanage.conf b/comanage-registry-internet2-tier/000-comanage.conf index 5ad4912..38a649a 100644 --- a/comanage-registry-internet2-tier/000-comanage.conf +++ b/comanage-registry-internet2-tier/000-comanage.conf @@ -30,6 +30,7 @@ Include apache-include-virtual-host-port443-base SSLCertificateFile /etc/httpd/cert.pem SSLCertificateKeyFile /etc/httpd/privkey.pem +#SSLCertificateChainFile %%CHAIN_PATH%% PassEnv ENV PassEnv USERTOKEN diff --git a/comanage-registry-internet2-tier/README.md b/comanage-registry-internet2-tier/README.md index b4abaa9..1ac14f8 100644 --- a/comanage-registry-internet2-tier/README.md +++ b/comanage-registry-internet2-tier/README.md @@ -147,8 +147,8 @@ The logging configuration meets version 1 of the ## HTTPS Configuration -See the section on environment variables and the `HTTPS_CERT_FILE` and -`HTTPS_PRIVKEY_FILE` variables. +See the section on environment variables and the `HTTPS_CERT_FILE`, +`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables. Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example diff --git a/comanage-registry-mailman/apache-shib/httpd.conf b/comanage-registry-mailman/apache-shib/httpd.conf index c33363d..9ecde4f 100644 --- a/comanage-registry-mailman/apache-shib/httpd.conf +++ b/comanage-registry-mailman/apache-shib/httpd.conf @@ -118,6 +118,7 @@ TransferLog /proc/self/fd/1 SSLEngine on SSLCertificateFile "/usr/local/apache2/conf/server.crt" SSLCertificateKeyFile "/usr/local/apache2/conf/server.key" +#SSLCertificateChainFile "/usr/local/apache2/conf/ca-chain.crt" BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ diff --git a/comanage-registry-mailman/apache-shib/start.sh b/comanage-registry-mailman/apache-shib/start.sh index b03b276..0d5ed32 100755 --- a/comanage-registry-mailman/apache-shib/start.sh +++ b/comanage-registry-mailman/apache-shib/start.sh @@ -55,6 +55,13 @@ if [ -n "${HTTPS_CERT_FILE}" ] && [ -n "${HTTPS_KEY_FILE}" ]; then chmod 600 /usr/local/apache2/conf/server.key fi +# Copy HTTPS chain file into place. +if [ -n "${HTTPS_CHAIN_FILE}" ]; then + cp "${HTTPS_CHAIN_FILE}" /usr/local/apache2/conf/ca-chain.crt + chmod 644 /usr/local/apache2/conf/ca-chain.crt + sed -i -e 's/^#SSLCertificateChainFile/SSLCertificateChainFile' /usr/local/apache2/conf/httpd.conf +fi + # Wait for the mailman core container to be ready. until nc -z -w 1 "${MAILMAN_CORE_HOST}" "${MAILMAN_CORE_PORT}" do diff --git a/comanage-registry-mod-auth-openidc/000-comanage.conf b/comanage-registry-mod-auth-openidc/000-comanage.conf index 0b03d75..cfcac71 100644 --- a/comanage-registry-mod-auth-openidc/000-comanage.conf +++ b/comanage-registry-mod-auth-openidc/000-comanage.conf @@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base SSLCertificateFile /etc/apache2/cert.pem SSLCertificateKeyFile /etc/apache2/privkey.pem +#SSLCertificateChainFile %%CHAIN_PATH%% ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined diff --git a/comanage-registry-mod-auth-openidc/README.md b/comanage-registry-mod-auth-openidc/README.md index 790d00d..1294f67 100644 --- a/comanage-registry-mod-auth-openidc/README.md +++ b/comanage-registry-mod-auth-openidc/README.md @@ -139,8 +139,8 @@ stderr of the container. ## HTTPS Configuration -See the section on environment variables and the `HTTPS_CERT_FILE` and -`HTTPS_PRIVKEY_FILE` variables. +See the section on environment variables and the `HTTPS_CERT_FILE`, +`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables. Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example diff --git a/comanage-registry-shibboleth-sp/000-comanage.conf b/comanage-registry-shibboleth-sp/000-comanage.conf index 41c3bcc..d408259 100644 --- a/comanage-registry-shibboleth-sp/000-comanage.conf +++ b/comanage-registry-shibboleth-sp/000-comanage.conf @@ -25,6 +25,7 @@ Include apache-include-virtual-host-port443-base SSLCertificateFile /etc/apache2/cert.pem SSLCertificateKeyFile /etc/apache2/privkey.pem +#SSLCertificateChainFile %%CHAIN_PATH%% ErrorLog ${APACHE_LOG_DIR}/error.log CustomLog ${APACHE_LOG_DIR}/access.log combined diff --git a/comanage-registry-shibboleth-sp/README.md b/comanage-registry-shibboleth-sp/README.md index 8ecb33a..9660691 100644 --- a/comanage-registry-shibboleth-sp/README.md +++ b/comanage-registry-shibboleth-sp/README.md @@ -125,8 +125,8 @@ stderr of the container. ## HTTPS Configuration -See the section on environment variables and the `HTTPS_CERT_FILE` and -`HTTPS_PRIVKEY_FILE` variables. +See the section on environment variables and the `HTTPS_CERT_FILE`, +`HTTPS_PRIVKEY_FILE`, and `HTTPS_CHAIN_FILE` variables. Additionally you may bind mount or COPY in an X.509 certificate file (containing the CA signing certificate(s), if any) and associated private key file. For example diff --git a/docs/comanage-registry-common-environment-variables.md b/docs/comanage-registry-common-environment-variables.md index b29b017..38034a2 100644 --- a/docs/comanage-registry-common-environment-variables.md +++ b/docs/comanage-registry-common-environment-variables.md @@ -209,6 +209,14 @@ edited directly. * Example: /run/secrets/https_privkey_file * Note: The path is relative to the running container. +```HTTPS_CHAIN_FILE``` + +* Description: path to file containing x509 certificate signing chain for HTTPS, if not specified then `HTTPS_CERT_FILE` much contain a full signing chain for the certificate. +* Required: no +* Default: none +* Example: /run/secrets/https_chain_file +* Note: The path is relative to the running container. + ```SERVER_NAME```