Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
When you go the route of http://community.aegirproject.org/node/70 to add a Chain cert to your SSL site (if needed), it would more or less look like this
function drupalwiki_provision_apache_vhost_config($uri, $data) {
switch($uri) {
case 'somedomain':
return _drupalwiki_add_ssl_chain($data);
break;
}
}
function _drupalwiki_add_ssl_chain($data) {
// we expect the chain.crt to be in the same folder as the certs
// get the basepath
$path = dirname ( $data["ssl_cert"] );
$command = "SSLCertificateChainFile $path/chain.crt";
return $command;
}
This works perfectly, but the chain.crt is never rsynced to the remote server, so the server fails to start. Even more, if you create the chain.crt over there, it gets removed with the next verification. As it is suggested to work with chain crts according to the notes on http://community.aegirproject.org/node/29 .. i mark this as a bug rather then a feature request.
Using beta2
Comment | File | Size | Author |
---|---|---|---|
#6 | chaincrt.patch | 1.81 KB | EugenMayer |
#5 | chaincrts.patch | 1.32 KB | EugenMayer |
Comments
Comment #1
EugenMayer CreditAttribution: EugenMayer commentedWell i could not fined were the files are actually synced, its pretty much encapsulated again.
I guess that will be the highest level called from provision-save
http/http.ssl.inc::config_date() is one of the methods generated the data, but iam still not sure who decides what to rsync of all this data or not. I expect this to be hardcoded, but could not find it anywhere. Can someone assist here?
Comment #2
EugenMayer CreditAttribution: EugenMayer commentedThere is another issue here, maybe we should cover them both here. When you use that hook to add the chain-cert you will end up having this line in the *:80 vhost also, which is pretty bad. I can`t see how to only set those extras for SSL / NON SSL only / both.
Comment #3
EugenMayer CreditAttribution: EugenMayer commentedreopen if needed, solved for myself
Comment #4
anarcat CreditAttribution: anarcat commentedReopening this as a feature request.
Comment #5
EugenMayer CreditAttribution: EugenMayer commentedpatch attached. Not deeply tested yet. Also the name is argueable "openssl_chain.crt". Any input here?
Comment #6
EugenMayer CreditAttribution: EugenMayer commentedrerolled patch. Now added support in the template / chainged the hash name to something properly fitting.
Comment #7
acrollet CreditAttribution: acrollet commentedsubscribe
Comment #8
Steven Jones CreditAttribution: Steven Jones commentedIt would be good to get this in.
Comment #9
Steven Jones CreditAttribution: Steven Jones commentedThanks for your patch Eugen, I've added it to a new branch and tidied it up a little in:
dev-ssl-chained-1062168
We'll review it from there, this doesn't look like too much of a big change, and I've basically implemented something similar in the last few days, so this approach can definitely work. I will test on my machine too, and we can merge into stable if appropriate.
Comment #10
anarcat CreditAttribution: anarcat commentedLooking good, i merged the branch in 2.x, let's let it sit there for a while...
Comment #12
nicksanta CreditAttribution: nicksanta commentedI've just applied this patch and the chained certificates now reappear in the vhost file once the site is verified.
Comment #13
anarcat CreditAttribution: anarcat commentedmarking this for release.
Comment #14
anarcat CreditAttribution: anarcat commentedmerged in 1.x