diff --git a/comanage-registry-basic-auth/Dockerfile.template b/comanage-registry-basic-auth/Dockerfile.template index c1bbd7a..90f9af5 100644 --- a/comanage-registry-basic-auth/Dockerfile.template +++ b/comanage-registry-basic-auth/Dockerfile.template @@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry-basic-auth/docker-comanage-entrypoint b/comanage-registry-basic-auth/docker-comanage-entrypoint index 571c4b6..d8eccbb 100755 --- a/comanage-registry-basic-auth/docker-comanage-entrypoint +++ b/comanage-registry-basic-auth/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # If the basic auth password file does not exist create a simple version to # aid people evaluating the tool. if [ ! -f "/etc/apache2/passwords" ]; then diff --git a/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml b/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml index 5819467..7dd768f 100644 --- a/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml +++ b/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml @@ -59,7 +59,6 @@ services: - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" diff --git a/comanage-registry-mod-auth-openidc/Dockerfile.template b/comanage-registry-mod-auth-openidc/Dockerfile.template index 8caba5b..3714d6c 100644 --- a/comanage-registry-mod-auth-openidc/Dockerfile.template +++ b/comanage-registry-mod-auth-openidc/Dockerfile.template @@ -115,7 +115,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint +++ b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/comanage-registry-shibboleth-sp/Dockerfile.template b/comanage-registry-shibboleth-sp/Dockerfile.template index 0e68db2..07ff404 100644 --- a/comanage-registry-shibboleth-sp/Dockerfile.template +++ b/comanage-registry-shibboleth-sp/Dockerfile.template @@ -219,7 +219,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template diff --git a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint +++ b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml b/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml index af5dc8d..4696749 100644 --- a/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml +++ b/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml @@ -56,7 +56,6 @@ services: - REGISTRY_HOST_FILE=/run/secrets/registry_host - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=ScottCmpAdmin - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Koranda - COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981 @@ -68,7 +67,6 @@ services: - registry_host - https_cert_file - https_privkey_file - - https_chain_file networks: - default ports: @@ -104,5 +102,3 @@ secrets: external: true https_privkey_file: external: true - https_chain_file: - external: true diff --git a/comanage-registry/Dockerfile.template b/comanage-registry/Dockerfile.template index c1bbd7a..90f9af5 100644 --- a/comanage-registry/Dockerfile.template +++ b/comanage-registry/Dockerfile.template @@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry/docker-comanage-entrypoint b/comanage-registry/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry/docker-comanage-entrypoint +++ b/comanage-registry/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/docs/advanced-configuration.md b/docs/advanced-configuration.md index b98ab1e..55a66db 100644 --- a/docs/advanced-configuration.md +++ b/docs/advanced-configuration.md @@ -147,9 +147,11 @@ an otherwise configured environment variable*. ### COmanage Registry -The certificate, private key, and CA signing file or chain file used for HTTPS may +The certificate and private key files used for HTTPS may be injected into the COmanage Registry container using environment variables -to point to files mounted into the container. +to point to files mounted into the container. The certificate file should +include the server certificate and any intermediate CA signing certificates +sorted from leaf to root. For example: @@ -175,7 +177,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" - "443:443" @@ -186,7 +187,6 @@ Alternatively you can directly mount files in the container to ``` /etc/apache2/cert.pem /etc/apache2/privkey.pem -/etc/apache2/chain.pem ``` If no files are configured the containers use "snakeoil" self-signed certificates @@ -222,7 +222,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey ports: @@ -287,7 +286,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" - "443:443" diff --git a/docs/shibboleth-sp-postgres-compose.md b/docs/shibboleth-sp-postgres-compose.md index 360d548..0b2bf3e 100644 --- a/docs/shibboleth-sp-postgres-compose.md +++ b/docs/shibboleth-sp-postgres-compose.md @@ -121,14 +121,14 @@ cp privkey.pem /docker/run/secrets/slapd_privkey_file cp chain.pem /docker/run/secrets/slapd_chain_file ``` -Put the X.509 certificate, private key, and chain files in place -for Apache HTTP Server for HTTPS (it is likely these are the same as -for slapd): +Put the X.509 certificate and private key files in place +for Apache HTTP Server for HTTPS. The certificate file should +include the server certificate and any intermediate CA signing +certificates sorted from leaf to root: ``` cp cert.pem /docker/run/secrets/https_cert_file cp privkey.pem /docker/run/secrets/https_privkey_file -cp chain.pem /docker/run/secrets/https_chain_file ``` Put the Shibboleth SP SAML certificate and key files in place: @@ -199,7 +199,6 @@ services: - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" diff --git a/recipes/production-mod-auth-openidc-mariadb/README.md b/recipes/production-mod-auth-openidc-mariadb/README.md index 102e28d..6c8adb0 100644 --- a/recipes/production-mod-auth-openidc-mariadb/README.md +++ b/recipes/production-mod-auth-openidc-mariadb/README.md @@ -67,8 +67,6 @@ docker secret create https_cert_file my.org.crt docker secret create https_privkey_file my.org.key -docker secret create https_chain_file chain.pem - docker secret create slapd_cert_file my.org.crt docker secret create slapd_privkey_file my.org.key