From 1e28ad39ff0062cac69ef31c4acd7ede51e081d6 Mon Sep 17 00:00:00 2001 From: Scott Koranda Date: Mon, 12 Jun 2017 12:23:31 -0500 Subject: [PATCH] Removed HTTPS chain configuration Since the Apache version used in the images is recent enough that SSLCertificateChainFile is obsoleted removed the ability to inject an explicit chain file and updated the documentation to note that the intermediate CA signing certificates should be included with the server certificate sorted from leaf to root. --- comanage-registry-basic-auth/Dockerfile.template | 1 - .../docker-comanage-entrypoint | 11 ++--------- ...manage-registry-shibboleth-sp-postgres-compose.yml | 1 - .../Dockerfile.template | 1 - .../docker-comanage-entrypoint | 11 ++--------- comanage-registry-shibboleth-sp/Dockerfile.template | 1 - .../docker-comanage-entrypoint | 11 ++--------- ...manage-registry-mod-auth-openidc-mariadb-stack.yml | 4 ---- comanage-registry/Dockerfile.template | 1 - comanage-registry/docker-comanage-entrypoint | 11 ++--------- docs/advanced-configuration.md | 10 ++++------ docs/shibboleth-sp-postgres-compose.md | 9 ++++----- recipes/production-mod-auth-openidc-mariadb/README.md | 2 -- 13 files changed, 16 insertions(+), 58 deletions(-) diff --git a/comanage-registry-basic-auth/Dockerfile.template b/comanage-registry-basic-auth/Dockerfile.template index c1bbd7a..90f9af5 100644 --- a/comanage-registry-basic-auth/Dockerfile.template +++ b/comanage-registry-basic-auth/Dockerfile.template @@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry-basic-auth/docker-comanage-entrypoint b/comanage-registry-basic-auth/docker-comanage-entrypoint index 571c4b6..d8eccbb 100755 --- a/comanage-registry-basic-auth/docker-comanage-entrypoint +++ b/comanage-registry-basic-auth/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # If the basic auth password file does not exist create a simple version to # aid people evaluating the tool. if [ ! -f "/etc/apache2/passwords" ]; then diff --git a/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml b/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml index 5819467..7dd768f 100644 --- a/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml +++ b/comanage-registry-compose/comanage-registry-shibboleth-sp-postgres-compose.yml @@ -59,7 +59,6 @@ services: - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" diff --git a/comanage-registry-mod-auth-openidc/Dockerfile.template b/comanage-registry-mod-auth-openidc/Dockerfile.template index 8caba5b..3714d6c 100644 --- a/comanage-registry-mod-auth-openidc/Dockerfile.template +++ b/comanage-registry-mod-auth-openidc/Dockerfile.template @@ -115,7 +115,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint +++ b/comanage-registry-mod-auth-openidc/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/comanage-registry-shibboleth-sp/Dockerfile.template b/comanage-registry-shibboleth-sp/Dockerfile.template index 0e68db2..07ff404 100644 --- a/comanage-registry-shibboleth-sp/Dockerfile.template +++ b/comanage-registry-shibboleth-sp/Dockerfile.template @@ -219,7 +219,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml.template diff --git a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry-shibboleth-sp/docker-comanage-entrypoint +++ b/comanage-registry-shibboleth-sp/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml b/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml index af5dc8d..4696749 100644 --- a/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml +++ b/comanage-registry-stack/comanage-registry-mod-auth-openidc-mariadb-stack.yml @@ -56,7 +56,6 @@ services: - REGISTRY_HOST_FILE=/run/secrets/registry_host - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file - COMANAGE_REGISTRY_ADMIN_GIVEN_NAME=ScottCmpAdmin - COMANAGE_REGISTRY_ADMIN_FAMILY_NAME=Koranda - COMANAGE_REGISTRY_ADMIN_USERNAME=http://cilogon.org/serverA/users/22981 @@ -68,7 +67,6 @@ services: - registry_host - https_cert_file - https_privkey_file - - https_chain_file networks: - default ports: @@ -104,5 +102,3 @@ secrets: external: true https_privkey_file: external: true - https_chain_file: - external: true diff --git a/comanage-registry/Dockerfile.template b/comanage-registry/Dockerfile.template index c1bbd7a..90f9af5 100644 --- a/comanage-registry/Dockerfile.template +++ b/comanage-registry/Dockerfile.template @@ -76,7 +76,6 @@ RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \ && cd /etc/apache2 \ && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \ && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \ - && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem \ && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" COPY docker-comanage-entrypoint /usr/local/bin/ diff --git a/comanage-registry/docker-comanage-entrypoint b/comanage-registry/docker-comanage-entrypoint index 636667a..58ba3c8 100755 --- a/comanage-registry/docker-comanage-entrypoint +++ b/comanage-registry/docker-comanage-entrypoint @@ -45,7 +45,6 @@ injectable_config_vars=( COMANAGE_REGISTRY_SECURITY_SEED HTTPS_CERT_FILE HTTPS_PRIVKEY_FILE - HTTPS_CHAIN_FILE ) # If the file associated with a configuration variable is present then @@ -222,7 +221,8 @@ popd > "$OUTPUT" 2>&1 chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" # If defined use configured location of Apache HTTP Server -# HTTPS certificate, key, and CA chain files. +# HTTPS certificate and key files. The certificate file may also +# include intermediate CA certificates, sorted from leaf to root. if [ -n "$HTTPS_CERT_FILE" ]; then rm -f /etc/apache2/cert.pem cp "$HTTPS_CERT_FILE" /etc/apache2/cert.pem @@ -237,13 +237,6 @@ if [ -n "$HTTPS_PRIVKEY_FILE" ]; then chmod 0600 /etc/apache2/privkey.pem fi -if [ -n "$HTTPS_CHAIN_FILE" ]; then - rm -f /etc/apache2/chain.pem - cp "$HTTPS_CHAIN_FILE" /etc/apache2/chain.pem - chown www-data /etc/apache2/chain.pem - chmod 0644 /etc/apache2/chain.pem -fi - # first arg is `-f` or `--some-option` if [ "${1#-}" != "$1" ]; then set -- apache2-foreground "$@" diff --git a/docs/advanced-configuration.md b/docs/advanced-configuration.md index b98ab1e..55a66db 100644 --- a/docs/advanced-configuration.md +++ b/docs/advanced-configuration.md @@ -147,9 +147,11 @@ an otherwise configured environment variable*. ### COmanage Registry -The certificate, private key, and CA signing file or chain file used for HTTPS may +The certificate and private key files used for HTTPS may be injected into the COmanage Registry container using environment variables -to point to files mounted into the container. +to point to files mounted into the container. The certificate file should +include the server certificate and any intermediate CA signing certificates +sorted from leaf to root. For example: @@ -175,7 +177,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" - "443:443" @@ -186,7 +187,6 @@ Alternatively you can directly mount files in the container to ``` /etc/apache2/cert.pem /etc/apache2/privkey.pem -/etc/apache2/chain.pem ``` If no files are configured the containers use "snakeoil" self-signed certificates @@ -222,7 +222,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file - SHIBBOLETH_SP_CERT=/run/secrets/shibboleth_sp_cert - SHIBBOLETH_SP_PRIVKEY=/run/secrets/shibboleth_sp_privkey ports: @@ -287,7 +286,6 @@ services: - COMANAGE_REGISTRY_DATABASE_USER_PASSWORD_FILE=/run/secrets/mysql_password - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" - "443:443" diff --git a/docs/shibboleth-sp-postgres-compose.md b/docs/shibboleth-sp-postgres-compose.md index 360d548..0b2bf3e 100644 --- a/docs/shibboleth-sp-postgres-compose.md +++ b/docs/shibboleth-sp-postgres-compose.md @@ -121,14 +121,14 @@ cp privkey.pem /docker/run/secrets/slapd_privkey_file cp chain.pem /docker/run/secrets/slapd_chain_file ``` -Put the X.509 certificate, private key, and chain files in place -for Apache HTTP Server for HTTPS (it is likely these are the same as -for slapd): +Put the X.509 certificate and private key files in place +for Apache HTTP Server for HTTPS. The certificate file should +include the server certificate and any intermediate CA signing +certificates sorted from leaf to root: ``` cp cert.pem /docker/run/secrets/https_cert_file cp privkey.pem /docker/run/secrets/https_privkey_file -cp chain.pem /docker/run/secrets/https_chain_file ``` Put the Shibboleth SP SAML certificate and key files in place: @@ -199,7 +199,6 @@ services: - SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE=/run/secrets/shibboleth_sp_metadata_provider_xml - HTTPS_CERT_FILE=/run/secrets/https_cert_file - HTTPS_PRIVKEY_FILE=/run/secrets/https_privkey_file - - HTTPS_CHAIN_FILE=/run/secrets/https_chain_file ports: - "80:80" diff --git a/recipes/production-mod-auth-openidc-mariadb/README.md b/recipes/production-mod-auth-openidc-mariadb/README.md index 102e28d..6c8adb0 100644 --- a/recipes/production-mod-auth-openidc-mariadb/README.md +++ b/recipes/production-mod-auth-openidc-mariadb/README.md @@ -67,8 +67,6 @@ docker secret create https_cert_file my.org.crt docker secret create https_privkey_file my.org.key -docker secret create https_chain_file chain.pem - docker secret create slapd_cert_file my.org.crt docker secret create slapd_privkey_file my.org.key