Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add optional config ssl_certificate_file #1291

Merged
merged 3 commits into from Mar 22, 2019

Conversation

Projects
None yet
2 participants
@grapenut
Copy link
Contributor

commented Mar 8, 2019

This adds a new configuration file option called ssl_certificate_file which should be set to the SSL certificate file. This allows the user to split their private key and certificates into separate files so that they can be easily symlinked back to the master certificate files (e.g. in /etc/). For backwards compatibility you can still concatenate them together and reference the combined file with ssl_private_key_file as before. For robustness (in case users are confused, etc.), you can use both ssl_certificate_file and ssl_private_key_file interchangeably, e.g. concat and put everything in ssl_certificate_file (instead of ssl_private_key_file), or put your key in ssl_certificate_file and your certificate in ssl_private_key_file. Essentially it will try to load both the key and the cert from both files (if the option is set). I tested exhaustively with multiple different arrangements of key and certificate either split or concatenated. As long as there is a valid key and a valid certificate present in one or the other (or both) it will find them.

@shawnw

This comment has been minimized.

Copy link
Contributor

commented Mar 15, 2019

Cool. This is something I've thought about but never got around. It'll make automatically resetting Let's Encrypt certs easier for example.

Looks like it prints out error messages if it tries and fails to load a key/cert from a file that doesn't have one when you're using separate files for both? I think that if the private key is loaded it shouldn't then try to read it again from the certificate file and vis versa.

@grapenut

This comment has been minimized.

Copy link
Contributor Author

commented Mar 15, 2019

Updated to only load the certificate and/or key from the ssl_certificate_file if they haven't been loaded already from ssl_private_key_file. Only logs when either certificate or key fails to load from either file.

@shawnw

This comment has been minimized.

Copy link
Contributor

commented Mar 20, 2019

That looks good, thanks. Don't suppose you're up for updating the instructions in README.SSL.md too to have them use separate files?

@grapenut

This comment has been minimized.

Copy link
Contributor Author

commented Mar 20, 2019

I updated the README.SSL.md to reflect the new configuration option (with a note for backwards compatibility). I also added roman numerals to section headers, since section IV was being referenced without being identified. I also put in a small paragraph about Let's Encrypt with links to certbot.

Added a note to help changes in pennv188.hlp.

Added a default file name to the ssl_certificate_file option in mushcnf.dst, in the same style as the default file name in ssl_private_key_file.

@shawnw shawnw merged commit 7327766 into pennmush:master Mar 22, 2019

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.