Removed HTTPS chain configuration

Since the Apache version used in the images is recent enough
that SSLCertificateChainFile is obsoleted removed the ability
to inject an explicit chain file and updated the documentation to
note that the intermediate CA signing certificates should be
included with the server certificate sorted from leaf to root.

comanage-registry-basic-auth/Dockerfile.template

@@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
       && cd /etc/apache2 \
       && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
       && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
-      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
       && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
 
 COPY docker-comanage-entrypoint /usr/local/bin/

comanage-registry-basic-auth/docker-comanage-entrypoint

@@ -45,7 +45,6 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
-    HTTPS_CHAIN_FILE
 )
 
 # If the file associated with a configuration variable is present then 
@@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1
 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"
 
 # If defined use configured location of Apache HTTP Server 
-# HTTPS certificate, key, and CA chain files.
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
 if [ -n "$HTTPS_CERT_FILE" ]; then
     rm -f /etc/apache2/cert.pem
     cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
@@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
-if [ -n "$HTTPS_CHAIN_FILE" ]; then
-    rm -f /etc/apache2/chain.pem
-    cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem
-    chown www-data /etc/apache2/chain.pem
-    chmod 0644 /etc/apache2/chain.pem
-fi
-
 # If the basic auth password file does not exist create a simple version to
 # aid people evaluating the tool.
 if [ ! -f "/etc/apache2/passwords" ]; then

comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml

@@ -59,7 +59,6 @@ services:
             - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file
 
         ports:
             - "80:80"

comanage-registry-mod-auth-openidc/Dockerfile.template

@@ -115,7 +115,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
       && cd /etc/apache2 \
       && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
       && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
-      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
       && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
 
 COPY docker-comanage-entrypoint /usr/local/bin/

comanage-registry-mod-auth-openidc/docker-comanage-entrypoint

@@ -45,7 +45,6 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
-    HTTPS_CHAIN_FILE
 )
 
 # If the file associated with a configuration variable is present then 
@@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1
 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"
 
 # If defined use configured location of Apache HTTP Server 
-# HTTPS certificate, key, and CA chain files.
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
 if [ -n "$HTTPS_CERT_FILE" ]; then
     rm -f /etc/apache2/cert.pem
     cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
@@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
-if [ -n "$HTTPS_CHAIN_FILE" ]; then
-    rm -f /etc/apache2/chain.pem
-    cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem
-    chown www-data /etc/apache2/chain.pem
-    chmod 0644 /etc/apache2/chain.pem
-fi
-
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

comanage-registry-shibboleth-sp/Dockerfile.template

@@ -219,7 +219,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
       && cd /etc/apache2 \
       && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
       && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
-      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
       && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
 
 COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template

comanage-registry-shibboleth-sp/docker-comanage-entrypoint

@@ -45,7 +45,6 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
-    HTTPS_CHAIN_FILE
 )
 
 # If the file associated with a configuration variable is present then 
@@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1
 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"
 
 # If defined use configured location of Apache HTTP Server 
-# HTTPS certificate, key, and CA chain files.
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
 if [ -n "$HTTPS_CERT_FILE" ]; then
     rm -f /etc/apache2/cert.pem
     cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
@@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
-if [ -n "$HTTPS_CHAIN_FILE" ]; then
-    rm -f /etc/apache2/chain.pem
-    cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem
-    chown www-data /etc/apache2/chain.pem
-    chmod 0644 /etc/apache2/chain.pem
-fi
-
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml

@@ -56,7 +56,6 @@ services:
             - REGISTRY_HOST_FILE=/run/secrets/registry_host 
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file 
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file 
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file 
             - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=ScottCmpAdmin
             - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Koranda
             - COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981
@@ -68,7 +67,6 @@ services:
             - registry_host
             - https_cert_file
             - https_privkey_file
-            - https_chain_file
         networks:
             - default
         ports:
@@ -104,5 +102,3 @@ secrets:
         external: true
     https_privkey_file:
         external: true
-    https_chain_file:
-        external: true

comanage-registry/Dockerfile.template

@@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
       && cd /etc/apache2 \
       && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
       && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
-      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
       && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
 
 COPY docker-comanage-entrypoint /usr/local/bin/

comanage-registry/docker-comanage-entrypoint

@@ -45,7 +45,6 @@ injectable_config_vars=(
     COMANAGE_REGISTRY_SECURITY_SEED
     HTTPS_CERT_FILE
     HTTPS_PRIVKEY_FILE
-    HTTPS_CHAIN_FILE
 )
 
 # If the file associated with a configuration variable is present then 
@@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1
 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp"
 
 # If defined use configured location of Apache HTTP Server 
-# HTTPS certificate, key, and CA chain files.
+# HTTPS certificate and key files. The certificate file may also
+# include intermediate CA certificates, sorted from leaf to root.
 if [ -n "$HTTPS_CERT_FILE" ]; then
     rm -f /etc/apache2/cert.pem
     cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem
@@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
     chmod 0600 /etc/apache2/privkey.pem
 fi
 
-if [ -n "$HTTPS_CHAIN_FILE" ]; then
-    rm -f /etc/apache2/chain.pem
-    cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem
-    chown www-data /etc/apache2/chain.pem
-    chmod 0644 /etc/apache2/chain.pem
-fi
-
 # first arg is `-f` or `--some-option`
 if [ "${1#-}" != "$1" ]; then
     set -- apache2-foreground "$@"

docs/advanced-configuration.md

@@ -147,9 +147,11 @@ an otherwise configured environment variable*.
 
 ### COmanage Registry
 
-The certificate, private key, and CA signing file or chain file used for HTTPS may
+The certificate and private key files used for HTTPS may
 be injected into the COmanage Registry container using environment variables
-to point to files mounted into the container. 
+to point to files mounted into the container. The certificate file should
+include the server certificate and any intermediate CA signing certificates
+sorted from leaf to root.
 
 For example:
 
@@ -175,7 +177,6 @@ services:
             - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file
         ports:
             - "80:80"
             - "443:443"
@@ -186,7 +187,6 @@ Alternatively you can directly mount files in the container to
 ```
 /etc/apache2/cert.pem
 /etc/apache2/privkey.pem
-/etc/apache2/chain.pem
 ```
 
 If no files are configured the containers use "snakeoil" self-signed certificates
@@ -222,7 +222,6 @@ services:
             - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file
             - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert
             - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey
         ports:
@@ -287,7 +286,6 @@ services:
             - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file
         ports:
             - "80:80"
             - "443:443"

docs/shibboleth-sp-postgres-compose.md

@@ -121,14 +121,14 @@ cp privkey.pem /docker/run/secrets/slapd_privkey_file
 cp chain.pem /docker/run/secrets/slapd_chain_file
 ```
 
-Put the X.509 certificate, private key, and chain files in place
-for Apache HTTP Server for HTTPS (it is likely these are the same as
-for slapd):
+Put the X.509 certificate and private key files in place
+for Apache HTTP Server for HTTPS. The certificate file should
+include the server certificate and any intermediate CA signing 
+certificates sorted from leaf to root:
 
 ```
 cp cert.pem /docker/run/secrets/https_cert_file
 cp privkey.pem /docker/run/secrets/https_privkey_file
-cp chain.pem /docker/run/secrets/https_chain_file
 ```
 
 Put the Shibboleth SP SAML certificate and key files in place:
@@ -199,7 +199,6 @@ services:
             - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml
             - HTTPS_CERT_FILE=/run/secrets/https_cert_file
             - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file
-            - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file
 
         ports:
             - "80:80"

recipes/production-mod-auth-openidc-mariadb/README.md

@@ -67,8 +67,6 @@ docker secret create https_cert_file my.org.crt
 
 docker secret create https_privkey_file my.org.key
 
-docker secret create https_chain_file chain.pem
-
 docker secret create slapd_cert_file my.org.crt
 
 docker secret create slapd_privkey_file my.org.key