chained certificates support [#1062168]

When you go the route of http://community.aegirproject.org/node/70 to add a Chain cert to your SSL site (if needed), it would more or less look like this

function drupalwiki_provision_apache_vhost_config($uri, $data) {
  switch($uri) {
    case 'somedomain':
      return _drupalwiki_add_ssl_chain($data);
    break;
  }
}

function _drupalwiki_add_ssl_chain($data) {
  // we expect the chain.crt to be in the same folder as the certs
  // get the basepath
  $path = dirname ( $data["ssl_cert"] );
  $command = "SSLCertificateChainFile $path/chain.crt";
  return $command;
}

This works perfectly, but the chain.crt is never rsynced to the remote server, so the server fails to start. Even more, if you create the chain.crt over there, it gets removed with the next verification. As it is suggested to work with chain crts according to the notes on http://community.aegirproject.org/node/29 .. i mark this as a bug rather then a feature request.

Using beta2

Comment	File	Size	Author
#6	chaincrt.patch	1.81 KB	EugenMayer
#5	chaincrts.patch	1.32 KB	EugenMayer

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

EugenMayer CreditAttribution: EugenMayer commented 15 February 2011 at 12:32

Well i could not fined were the files are actually synced, its pretty much encapsulated again.

I guess that will be the highest level called from provision-save

/**
 * Sync the current Drupal platform and, if applicable, site. Call after
 * finishing operations that affect the filesystem.
 */
function provision_drupal_sync_site() {
  d()->service('http')->sync(d()->root, array('exclude-sites' => TRUE));
  if (d()->type === 'site') {
    d()->service('http')->sync(d()->site_path, array('no-delete' => TRUE));
  }
}

http/http.ssl.inc::config_date() is one of the methods generated the data, but iam still not sure who decides what to rsync of all this data or not. I expect this to be hardcoded, but could not find it anywhere. Can someone assist here?

Comment #2

EugenMayer CreditAttribution: EugenMayer commented 15 February 2011 at 21:18

There is another issue here, maybe we should cover them both here. When you use that hook to add the chain-cert you will end up having this line in the *:80 vhost also, which is pretty bad. I can`t see how to only set those extras for SSL / NON SSL only / both.

Comment #3

EugenMayer CreditAttribution: EugenMayer commented 17 February 2011 at 10:51

Status:

Active

» Closed (won't fix)

reopen if needed, solved for myself

Comment #4

anarcat CreditAttribution: anarcat commented 17 February 2011 at 13:30

Title:	[SSL] not all files in ssl.d/$name/ are synced - no way to add chain certs	» chained certificates support
Category:	bug	» feature
Status:	Closed (won't fix)	» Active
Issue tags:		+ssl

Reopening this as a feature request.

Comment #5

EugenMayer CreditAttribution: EugenMayer commented 20 February 2011 at 23:46

Status:

Active

» Needs review

File	Size
chaincrts.patch	1.32 KB

patch attached. Not deeply tested yet. Also the name is argueable "openssl_chain.crt". Any input here?

Comment #6

EugenMayer CreditAttribution: EugenMayer commented 21 February 2011 at 12:32

File	Size
chaincrt.patch	1.81 KB

rerolled patch. Now added support in the template / chainged the hash name to something properly fitting.

Comment #7

acrollet CreditAttribution: acrollet commented 15 April 2011 at 19:28

Version:

» 6.x-1.0

Comment #8

Steven Jones CreditAttribution: Steven Jones commented 18 April 2011 at 06:54

It would be good to get this in.

Comment #9

Steven Jones CreditAttribution: Steven Jones commented 18 April 2011 at 21:37

Thanks for your patch Eugen, I've added it to a new branch and tidied it up a little in:

dev-ssl-chained-1062168

We'll review it from there, this doesn't look like too much of a big change, and I've basically implemented something similar in the last few days, so this approach can definitely work. I will test on my machine too, and we can merge into stable if appropriate.

Comment #10

anarcat CreditAttribution: anarcat commented 18 April 2011 at 23:23

Status:

Needs review

» Fixed

Looking good, i merged the branch in 2.x, let's let it sit there for a while...

Comment #11

2 May 2011 at 23:31

Status:

Fixed

» Closed (fixed)

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #12

nicksanta CreditAttribution: nicksanta commented 30 May 2011 at 23:34

I've just applied this patch and the chained certificates now reappear in the vhost file once the site is verified.

Comment #13

anarcat CreditAttribution: anarcat commented 7 March 2012 at 19:26

Status:

Closed (fixed)

» Patch (to be ported)

marking this for release.

Comment #14

anarcat CreditAttribution: anarcat commented 7 March 2012 at 19:28

Status:

Patch (to be ported)

» Fixed

merged in 1.x

Comment #15

21 March 2012 at 19:30

Status:	Fixed	» Closed (fixed)
Issue tags:	-ssl

Automatically closed -- issue fixed for 2 weeks with no activity.

Comment #16

21 March 2012 at 19:30

Issue tags:

+ssl

Restoring issue tags, see #2125755: System messages removed all issue tags during D7 upgrade.

Comment #17

12 June 2014 at 08:41

Commit 93e0701 on dev-ssl-chained-1062168, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x by Steven Jones:
```
Add patch from #1062168 comment 6.

By EugenMayer: Added chained...
```
Commit 89877cd on 6.x-1.x, dev-drupal-8, dev-ssl-ip-allocation-refactor, dev-1205458-move_sites_out_of_platforms, 7.x-3.x, dev-subdir-multiserver, 6.x-2.x-backports, dev-helmo-3.x authored by Steven Jones, committed by anarcat:
```
Add patch from #1062168 comment 6.

By EugenMayer: Added chained...
```